<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: [CVE-2020-14331] Linux Kernel: buffer over write in vgacon_scrollback_update
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Eric Biggers <ebiggers () kernel org>
Date: Tue, 28 Jul 2020 11:59:14 -0700
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Tue, Jul 28, 2020 at 11:16:55AM +0800, 张云海 wrote:
There is a buffer over write in drivers/video/console/vgacon.c in
vgacon_scrollback_update.
The issue is reported by Yunhai Zhang / NSFOCUS Security Team
<zhangyunhai () nsfocus com>, CVE-2020-14331 assigned via Red Hat.
# Affected Versions
The issue is found and tested on 5.7.0-rc6.
The issue is introduced in commit:
15bdab959c9bb909c0317480dd9b35748a8f7887 ([PATCH] vgacon: Add support
for soft scrollback)
According to code review, all versions older than
92ed301919932f777713b9172e525674157e983d (v5.8-rc7) are affected.
Thanks for the writeup. Note that there are many open syzbot reports in the
fbdev, vt, and vgacon kernel subsystems. These subsystems aren't actively
maintained (receiving drive-by fixes only), and the kernel developers recommend
to not enable these subsystems if you care about security
(https://lkml.kernel.org/lkml/CAKMK7uF5zZH3CaHueWsLR96-AzT==wP8=MpymTqx-T+SRsXWHA () mail gmail com/).
This particular bug, for example, appears to have been already found by someone
running syzkaller and publicly reported over 2 years ago, with a C reproducer:
(https://lkml.kernel.org/lkml/CAEAjamsJnG-=TSOwgRbbb3B9Z-PA63oWmNPoKYWQ=Z=+X49akg () mail gmail com/).
No one did anything.
I suggest that people relying on the security of these kernel subsystems
contribute resources to fixing the many known fuzzing bugs in them.
- Eric
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
[CVE-2020-14331] Linux Kernel: buffer over write in vgacon_scrollback_update 张云海 (Jul 28)
Re: [CVE-2020-14331] Linux Kernel: buffer over write in vgacon_scrollback_update Eric Biggers (Jul 28)
Re: [CVE-2020-14331] Linux Kernel: buffer over write in vgacon_scrollback_update Solar Designer (Jul 29)
Re: [CVE-2020-14331] Linux Kernel: buffer over write in vgacon_scrollback_update 张云海 (Jul 30)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->