admin/cve
1
0
Fork 0
mirror of https://github.com/0xMarcio/cve.git synced 2025-06-19 17:30:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
cve/2024/CVE-2024-26798.md
0xMarcio 48a00929ac Removed duplicates
2024-06-18 02:51:15 +02:00

2.6 KiB
Raw Blame History

CVE-2024-26798

Description

In the Linux kernel, the following vulnerability has been resolved:fbcon: always restore the old font data in fbcon_do_set_font()Commit a5a923038d70 (fbdev: fbcon: Properly revert changes whenvc_resize() failed) started restoring old font data upon failure (ofvc_resize()). But it performs so only for user fonts. It means that the"system"/internal fonts are not restored at all. So in result, the veryfirst call to fbcon_do_set_font() performs no restore at all uponfailing vc_resize().This can be reproduced by Syzkaller to crash the system on the nextinvocation of font_get(). It's rather hard to hit the allocation failurein vc_resize() on the first font_set(), but not impossible. Esp. iffault injection is used to aid the execution/failure. It wasdemonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ...So restore the font data in any case, not only for user fonts. Note thelater 'if' is now protected by 'old_userfont' and not 'old_data' as thelatter is always set now. (And it is supposed to be non-NULL. Otherwisewe would see the bug above again.)

POC

Reference

Github

No PoCs found on GitHub currently.