oss-sec mailing list archives
Re: [CVE-2020-14331] Linux Kernel: buffer over write in vgacon_scrollback_update
From: Solar Designer <solar () openwall com>
Date: Wed, 29 Jul 2020 14:58:39 +0200
On Tue, Jul 28, 2020 at 11:59:14AM -0700, Eric Biggers wrote:
On Tue, Jul 28, 2020 at 11:16:55AM +0800, ????????? wrote:There is a buffer over write in drivers/video/console/vgacon.c in vgacon_scrollback_update. The issue is reported by Yunhai Zhang / NSFOCUS Security Team <zhangyunhai () nsfocus com>, CVE-2020-14331 assigned via Red Hat. # Affected Versions The issue is found and tested on 5.7.0-rc6. The issue is introduced in commit: 15bdab959c9bb909c0317480dd9b35748a8f7887 ([PATCH] vgacon: Add support for soft scrollback)
That was in 2006.
According to code review, all versions older than 92ed301919932f777713b9172e525674157e983d (v5.8-rc7) are affected.Thanks for the writeup. Note that there are many open syzbot reports in the fbdev, vt, and vgacon kernel subsystems. These subsystems aren't actively maintained (receiving drive-by fixes only), and the kernel developers recommend to not enable these subsystems if you care about security (https://lkml.kernel.org/lkml/CAKMK7uF5zZH3CaHueWsLR96-AzT==wP8=MpymTqx-T+SRsXWHA () mail gmail com/). This particular bug, for example, appears to have been already found by someone running syzkaller and publicly reported over 2 years ago, with a C reproducer: (https://lkml.kernel.org/lkml/CAEAjamsJnG-=TSOwgRbbb3B9Z-PA63oWmNPoKYWQ=Z=+X49akg () mail gmail com/). No one did anything. I suggest that people relying on the security of these kernel subsystems contribute resources to fixing the many known fuzzing bugs in them.
Wow. I suppose the biggest risk here is services that just happen to run on the console (or able to access it if they re-open /dev/tty) as a result of normal system startup. Since an ioctl() is required at least to trigger CVE-2020-14331, at least this one is limited to attacks by someone who already got code execution within one of such services, but I suppose it could in some cases be used to gain ring 0 access from a non-root pseudo-user that the service (or even merely its privsep child) might run as. If any other related issues are triggerable purely by terminal escapes codes, it's much worse - could even allow for remote attacks without a prior compromise of any service. Do others see this same threat model or something different? I think non-root users with intentional console access mounting attacks is less of a concern. Meanwhile, Jiri Slaby brought the discussion around fixing vgacon properly to LKML: https://lists.openwall.net/linux-kernel/2020/07/29/234 The patch posted in this very first LKML message (with the added check before the loop) is already known to be insufficient - see the follow-ups. The patch posted by Yunhai Zhang here on oss-security (with the added check in the loop) is still considered sufficient. Alexander
Current thread:
- [CVE-2020-14331] Linux Kernel: buffer over write in vgacon_scrollback_update 张云海 (Jul 28)
- Re: [CVE-2020-14331] Linux Kernel: buffer over write in vgacon_scrollback_update Eric Biggers (Jul 28)
- Re: [CVE-2020-14331] Linux Kernel: buffer over write in vgacon_scrollback_update Solar Designer (Jul 29)
- Re: [CVE-2020-14331] Linux Kernel: buffer over write in vgacon_scrollback_update Eric Biggers (Jul 28)