oss-sec mailing list archives
Re: [CVE-2020-14331] Linux Kernel: buffer over write in vgacon_scrollback_update
From: Eric Biggers <ebiggers () kernel org>
Date: Tue, 28 Jul 2020 11:59:14 -0700
On Tue, Jul 28, 2020 at 11:16:55AM +0800, 张云海 wrote:
There is a buffer over write in drivers/video/console/vgacon.c in vgacon_scrollback_update. The issue is reported by Yunhai Zhang / NSFOCUS Security Team <zhangyunhai () nsfocus com>, CVE-2020-14331 assigned via Red Hat. # Affected Versions The issue is found and tested on 5.7.0-rc6. The issue is introduced in commit: 15bdab959c9bb909c0317480dd9b35748a8f7887 ([PATCH] vgacon: Add support for soft scrollback) According to code review, all versions older than 92ed301919932f777713b9172e525674157e983d (v5.8-rc7) are affected.
Thanks for the writeup. Note that there are many open syzbot reports in the fbdev, vt, and vgacon kernel subsystems. These subsystems aren't actively maintained (receiving drive-by fixes only), and the kernel developers recommend to not enable these subsystems if you care about security (https://lkml.kernel.org/lkml/CAKMK7uF5zZH3CaHueWsLR96-AzT==wP8=MpymTqx-T+SRsXWHA () mail gmail com/). This particular bug, for example, appears to have been already found by someone running syzkaller and publicly reported over 2 years ago, with a C reproducer: (https://lkml.kernel.org/lkml/CAEAjamsJnG-=TSOwgRbbb3B9Z-PA63oWmNPoKYWQ=Z=+X49akg () mail gmail com/). No one did anything. I suggest that people relying on the security of these kernel subsystems contribute resources to fixing the many known fuzzing bugs in them. - Eric
Current thread:
- [CVE-2020-14331] Linux Kernel: buffer over write in vgacon_scrollback_update 张云海 (Jul 28)
- Re: [CVE-2020-14331] Linux Kernel: buffer over write in vgacon_scrollback_update Eric Biggers (Jul 28)