Re: stack buffer overflow in fbdev

[Linus Torvalds <torvalds () linux-foundation org>]

Completely untested patch attached. There are probably better ways to do this.

Adding the proper people to the cc, and quoting Tavis' email in its entirety.

Daniel - you got added despite not being explicitly listed as
maintainer because you've touched fbdev/core/ more than most lately,
plus you know edid anyway. As such: "tag, you're it, sucker".

                Linus

On Sat, Jul 20, 2019 at 5:35 PM Tavis Ormandy <taviso () gmail com> wrote:
> Hello, during a conversation on twitter we noticed a stack buffer
> overflow in fbdev with malicious edid data:
>
> https://github.com/torvalds/linux/blob/22051d9c4a57d3b4a8b5a7407efc80c71c7bfb16/drivers/video/fbdev/core/fbmon.c#L1033
>
> There is enough space to have 52 1-byte length values, which makes svd_n
> 52, then make the final value length 0x1f (the maximum), which makes
> svd_n 83 and overflows the 64 byte stack buffer svd[] with controlled
> data.
>
> This requires a malicious monitor / projector / etc, so pretty low impact.
>
> I pulled out the code to make a demo (I removed the checksum, but it
> doesnt prevent the bug):
>
> https://gist.github.com/taviso/923776e633cb8fb1ab847cce761a0f10
>
> This was discovered by Nico Waisman of Semmle.
>
> Tavis.
>
> --
> -------------------------------------
> taviso () sdf lonestar org | finger me for my pgp key.
> -------------------------------------------------------

Attachment: patch.diff
Description: