oss-sec mailing list archives

Re: stack buffer overflow in fbdev

From: Linus Torvalds <torvalds () linux-foundation org>
Date: Tue, 23 Jul 2019 10:08:17 -0700

On Sat, Jul 20, 2019 at 5:35 PM Tavis Ormandy <taviso () gmail com> wrote:


There is enough space to have 52 1-byte length values, which makes svd_n
52, then make the final value length 0x1f (the maximum), which makes
svd_n 83 and overflows the 64 byte stack buffer svd[] with controlled
data.

This requires a malicious monitor / projector / etc, so pretty low impact.


Ok, so I went back all the way to 3.16, and in 4.4 and earlier the
only user of fb_edid_add_monspecs() was that SH-Mobile SoCs driver
that got removed for no use.

So I think we can ignore this even for stable kernels, and I'll get
the pull request that removes the function entirely some time in the
future.

             Linus

Current thread:

stack buffer overflow in fbdev Tavis Ormandy (Jul 19)
- Re: stack buffer overflow in fbdev Linus Torvalds (Jul 21)
  - Re: stack buffer overflow in fbdev Daniel Vetter (Jul 22)
    - Re: stack buffer overflow in fbdev Linus Torvalds (Jul 22)
    - Re: stack buffer overflow in fbdev Bartlomiej Zolnierkiewicz (Jul 22)
    - Re: stack buffer overflow in fbdev Daniel Vetter (Jul 23)
- Re: stack buffer overflow in fbdev Linus Torvalds (Jul 23)