CVE-2024-50048 Information
Description
In the Linux kernel the following vulnerability has been resolved:
fbcon: Fix a NULL pointer dereference issue in fbcon_putcs
syzbot has found a NULL pointer dereference bug in fbcon. Here is the simplified C reproducer:
struct param uint8_t type; struct tiocl_selection ts; ;
int main()
struct fb_con2fbmap con2fb;
struct param param;
int fd = open(\/dev/fb1\ 0 0);
con2fb.console = 0x19;
con2fb.framebuffer = 0;
ioctl(fd FBIOPUT_CON2FBMAP &con2fb);
param.type = 2;
param.ts.xs = 0; param.ts.ys = 0;
param.ts.xe = 0; param.ts.ye = 0;
param.ts.sel_mode = 0;
int fd1 = open(\/dev/tty1\ O_RDWR 0);
ioctl(fd1 TIOCLINUX ¶m);
con2fb.console = 1;
con2fb.framebuffer = 0;
ioctl(fd FBIOPUT_CON2FBMAP &con2fb);
return 0;
After calling ioctl(fd1 TIOCLINUX ¶m) the subsequent ioctl(fd FBIOPUT_CON2FBMAP &con2fb) causes the kernel to follow a different execution path:
set_con2fb_map -> con2fb_init_display -> fbcon_set_disp -> redraw_screen -> hide_cursor -> clear_selection -> highlight -> invert_screen -> do_update_region -> fbcon_putcs -> ops->putcs
Since ops->putcs is a NULL pointer this leads to a kernel panic. To prevent this we need to call set_blitting_type() within set_con2fb_map() to properly initialize ops->putcs.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Reference
https://git.kernel.org/stable/c/8266ae6eafdcd5a3136592445ff4038bbc7ee80e https://git.kernel.org/stable/c/f7fb5dda555344529ce584ff7a28b109528d2f1b https://git.kernel.org/stable/c/e5c2dba62996a3a6eeb34bd248b90fc69c5a6a1b https://git.kernel.org/stable/c/5b97eebcce1b4f3f07a71f635d6aa3af96c236e7
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
NONE
Availability Impact
NONE
Base Score
HIGH
Base Severity
5.5
Share on: