oss-sec mailing list archives
stack buffer overflow in fbdev
From: Tavis Ormandy <taviso () gmail com>
Date: Fri, 19 Jul 2019 07:03:43 -0700
Hello, during a conversation on twitter we noticed a stack buffer overflow in fbdev with malicious edid data: https://github.com/torvalds/linux/blob/22051d9c4a57d3b4a8b5a7407efc80c71c7bfb16/drivers/video/fbdev/core/fbmon.c#L1033 There is enough space to have 52 1-byte length values, which makes svd_n 52, then make the final value length 0x1f (the maximum), which makes svd_n 83 and overflows the 64 byte stack buffer svd[] with controlled data. This requires a malicious monitor / projector / etc, so pretty low impact. I pulled out the code to make a demo (I removed the checksum, but it doesnt prevent the bug): https://gist.github.com/taviso/923776e633cb8fb1ab847cce761a0f10 This was discovered by Nico Waisman of Semmle. Tavis. -- ------------------------------------- taviso () sdf lonestar org | finger me for my pgp key. -------------------------------------------------------
Current thread:
- stack buffer overflow in fbdev Tavis Ormandy (Jul 19)
- Re: stack buffer overflow in fbdev Linus Torvalds (Jul 21)
- Re: stack buffer overflow in fbdev Daniel Vetter (Jul 22)
- Re: stack buffer overflow in fbdev Linus Torvalds (Jul 22)
- Re: stack buffer overflow in fbdev Bartlomiej Zolnierkiewicz (Jul 22)
- Re: stack buffer overflow in fbdev Daniel Vetter (Jul 23)
- Re: stack buffer overflow in fbdev Daniel Vetter (Jul 22)
- Re: stack buffer overflow in fbdev Linus Torvalds (Jul 21)
- Re: stack buffer overflow in fbdev Linus Torvalds (Jul 23)