oss-sec mailing list archives

stack buffer overflow in fbdev

From: Tavis Ormandy <taviso () gmail com>
Date: Fri, 19 Jul 2019 07:03:43 -0700

Hello, during a conversation on twitter we noticed a stack buffer
overflow in fbdev with malicious edid data:

https://github.com/torvalds/linux/blob/22051d9c4a57d3b4a8b5a7407efc80c71c7bfb16/drivers/video/fbdev/core/fbmon.c#L1033

There is enough space to have 52 1-byte length values, which makes svd_n
52, then make the final value length 0x1f (the maximum), which makes
svd_n 83 and overflows the 64 byte stack buffer svd[] with controlled
data.

This requires a malicious monitor / projector / etc, so pretty low impact.

I pulled out the code to make a demo (I removed the checksum, but it
doesnt prevent the bug):

https://gist.github.com/taviso/923776e633cb8fb1ab847cce761a0f10

This was discovered by Nico Waisman of Semmle.

Tavis.

-- 
-------------------------------------
taviso () sdf lonestar org | finger me for my pgp key.
-------------------------------------------------------

Current thread:

stack buffer overflow in fbdev Tavis Ormandy (Jul 19)
- Re: stack buffer overflow in fbdev Linus Torvalds (Jul 21)
  - Re: stack buffer overflow in fbdev Daniel Vetter (Jul 22)
    - Re: stack buffer overflow in fbdev Linus Torvalds (Jul 22)
    - Re: stack buffer overflow in fbdev Bartlomiej Zolnierkiewicz (Jul 22)
    - Re: stack buffer overflow in fbdev Daniel Vetter (Jul 23)
- Re: stack buffer overflow in fbdev Linus Torvalds (Jul 23)