We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)
Bugpilot (Bug tracking)

Ok

THREATINT CVE Home CVE Diag Help
PUBLISHED

CVE-2024-26798

fbcon: always restore the old font data in fbcon_do_set_font()

Reserved:2024-02-19
Published:2024-04-04
Updated:2024-04-04

Description

In the Linux kernel, the following vulnerability has been resolved: fbcon: always restore the old font data in fbcon_do_set_font() Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the "system"/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize(). This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It's rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. Esp. if fault injection is used to aid the execution/failure. It was demonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: <TASK> con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ... So restore the font data in any case, not only for user fonts. Note the later 'if' is now protected by 'old_userfont' and not 'old_data' as the latter is always set now. (And it is supposed to be non-NULL. Otherwise we would see the bug above again.)

Product status

Default status
unaffected

ebd6f886aa24 before 20a4b5214f7b
affected

a5a923038d70 before 2f91a96b892f
affected

a5a923038d70 before 73a6bd68a134
affected

a5a923038d70 before a2c881413dcc
affected

a5a923038d70 before 00d6a284fcf3
affected

Default status
affected

6.0
affected

Any version before 6.0
unaffected

5.15.151
unaffected

6.1.81
unaffected

6.6.21
unaffected

6.7.9
unaffected

6.8
unaffected

References

https://git.kernel.org/stable/c/20a4b5214f7bee13c897477168c77bbf79683c3d

https://git.kernel.org/stable/c/2f91a96b892fab2f2543b4a55740c5bee36b1a6b

https://git.kernel.org/stable/c/73a6bd68a1342f3a44cac9dffad81ad6a003e520

https://git.kernel.org/stable/c/a2c881413dcc5d801bdc9535e51270cc88cb9cd8

https://git.kernel.org/stable/c/00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f

cve.org CVE-2024-26798

nvd.nist.gov CVE-2024-26798

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-26798