CVE-2024-50048

In the Linux kernel, the following vulnerability has been resolved: fbcon: Fix a NULL pointer dereference issue in fbcon_putcs syzbot has found a NULL pointer dereference bug in fbcon. Here is the simplified C reproducer: struct param { uint8_t type; struct tiocl_selection ts; }; int main() { struct fb_con2fbmap con2fb; struct param param; int fd = open("/dev/fb1", 0, 0); con2fb.console = 0x19; con2fb.framebuffer = 0; ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb); param.type = 2; param.ts.xs = 0; param.ts.ys = 0; param.ts.xe = 0; param.ts.ye = 0; param.ts.sel_mode = 0; int fd1 = open("/dev/tty1", O_RDWR, 0); ioctl(fd1, TIOCLINUX, &param); con2fb.console = 1; con2fb.framebuffer = 0; ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb); return 0; } After calling ioctl(fd1, TIOCLINUX, &param), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb) causes the kernel to follow a different execution path: set_con2fb_map -> con2fb_init_display -> fbcon_set_disp -> redraw_screen -> hide_cursor -> clear_selection -> highlight -> invert_screen -> do_update_region -> fbcon_putcs -> ops->putcs Since ops->putcs is a NULL pointer, this leads to a kernel panic. To prevent this, we need to call set_blitting_type() within set_con2fb_map() to properly initialize ops->putcs.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

23 Oct 2024, 21:46

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5
First Time Linux linux Kernel
Linux
References () https://git.kernel.org/stable/c/5b97eebcce1b4f3f07a71f635d6aa3af96c236e7 - () https://git.kernel.org/stable/c/5b97eebcce1b4f3f07a71f635d6aa3af96c236e7 - Patch
References () https://git.kernel.org/stable/c/8266ae6eafdcd5a3136592445ff4038bbc7ee80e - () https://git.kernel.org/stable/c/8266ae6eafdcd5a3136592445ff4038bbc7ee80e - Patch
References () https://git.kernel.org/stable/c/e5c2dba62996a3a6eeb34bd248b90fc69c5a6a1b - () https://git.kernel.org/stable/c/e5c2dba62996a3a6eeb34bd248b90fc69c5a6a1b - Patch
References () https://git.kernel.org/stable/c/f7fb5dda555344529ce584ff7a28b109528d2f1b - () https://git.kernel.org/stable/c/f7fb5dda555344529ce584ff7a28b109528d2f1b - Patch
CWE CWE-476
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

23 Oct 2024, 15:12

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fbcon: soluciona un problema de desreferencia de puntero NULL en fbcon_putcs syzbot ha encontrado un error de desreferencia de puntero NULL en fbcon. Aquí está el reproductor C simplificado: struct param { uint8_t type; struct tiocl_selection ts; }; int main() { struct fb_con2fbmap con2fb; struct param param; int fd = open("/dev/fb1", 0, 0); con2fb.console = 0x19; con2fb.framebuffer = 0; ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb); param.type = 2; param.ts.xs = 0; param.ts.ys = 0; param.ts.xe = 0; param.ts.ye = 0; param.ts.sel_mode = 0; int fd1 = open("/dev/tty1", O_RDWR, 0); ioctl(fd1, TIOCLINUX, &param); con2fb.console = 1; con2fb.framebuffer = 0; ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb); devolver 0; } Después de llamar a ioctl(fd1, TIOCLINUX, &param), el ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb) subsiguiente hace que el núcleo siga una ruta de ejecución diferente: set_con2fb_map -> con2fb_init_display -> fbcon_set_disp -> redraw_screen -> hide_cursor -> clear_selection -> highlight -> invert_screen -> do_update_region -> fbcon_putcs -> ops->putcs Dado que ops->putcs es un puntero NULL, esto lleva a un pánico del núcleo. Para evitar esto, necesitamos llamar a set_blitting_type() dentro de set_con2fb_map() para inicializar correctamente ops->putcs.

21 Oct 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-21 20:15

Updated : 2024-10-23 21:46


NVD link : CVE-2024-50048

Mitre link : CVE-2024-50048

CVE.ORG link : CVE-2024-50048


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-476

NULL Pointer Dereference