In the Linux kernel, the following vulnerability has been resolved:
fbcon: Fix a NULL pointer dereference issue in fbcon_putcs
syzbot has found a NULL pointer dereference bug in fbcon.
Here is the simplified C reproducer:
struct param {
uint8_t type;
struct tiocl_selection ts;
};
int main()
{
struct fb_con2fbmap con2fb;
struct param param;
int fd = open("/dev/fb1", 0, 0);
con2fb.console = 0x19;
con2fb.framebuffer = 0;
ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);
param.type = 2;
param.ts.xs = 0; param.ts.ys = 0;
param.ts.xe = 0; param.ts.ye = 0;
param.ts.sel_mode = 0;
int fd1 = open("/dev/tty1", O_RDWR, 0);
ioctl(fd1, TIOCLINUX, ¶m);
con2fb.console = 1;
con2fb.framebuffer = 0;
ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);
return 0;
}
After calling ioctl(fd1, TIOCLINUX, ¶m), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb)
causes the kernel to follow a different execution path:
set_con2fb_map
-> con2fb_init_display
-> fbcon_set_disp
-> redraw_screen
-> hide_cursor
-> clear_selection
-> highlight
-> invert_screen
-> do_update_region
-> fbcon_putcs
-> ops->putcs
Since ops->putcs is a NULL pointer, this leads to a kernel panic.
To prevent this, we need to call set_blitting_type() within set_con2fb_map()
to properly initialize ops->putcs.
References
Configurations
Configuration 1 (hide)
|
History
23 Oct 2024, 21:46
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.5 |
First Time |
Linux linux Kernel
Linux |
|
References | () https://git.kernel.org/stable/c/5b97eebcce1b4f3f07a71f635d6aa3af96c236e7 - Patch | |
References | () https://git.kernel.org/stable/c/8266ae6eafdcd5a3136592445ff4038bbc7ee80e - Patch | |
References | () https://git.kernel.org/stable/c/e5c2dba62996a3a6eeb34bd248b90fc69c5a6a1b - Patch | |
References | () https://git.kernel.org/stable/c/f7fb5dda555344529ce584ff7a28b109528d2f1b - Patch | |
CWE | CWE-476 | |
CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
23 Oct 2024, 15:12
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
21 Oct 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-21 20:15
Updated : 2024-10-23 21:46
NVD link : CVE-2024-50048
Mitre link : CVE-2024-50048
CVE.ORG link : CVE-2024-50048
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-476
NULL Pointer Dereference