CVE-2023-38409: Linux Kernel Vulnerability in set_con2fb_map Function Leads to Desynchronization in fbcon_mode_deleted

A new vulnerability, tracked as CVE-2023-38409, has been discovered in the Linux kernel version before 6.2.12. The affected function is set_con2fb_map that resides inside the drivers/video/fbdev/core/fbcon.c file. This vulnerability can cause a desynchronization between the fbcon_registered_fb and fbcon_display arrays when fbcon_mode_deleted is called. This is due to an assignment being made only for the first vc (virtual console). Here, we will discuss the vulnerability in detail and how it can be exploited, as well as provide a code snippet and links to the original references.

The affected function is set_con2fb_map, which can be found in the fbcon.c file

int set_con2fb_map(int unit, int newidx)
{
	struct fb_info *oldinfo = NULL;
	int i;

	if (newidx >= FB_MAX)
		return -EINVAL;

	mutex_lock(&registration_lock);
	if (con2fb_map_boot) {
		for (i = first_fb_vc; i <= last_fb_vc; i++)
			con2fb_map[i] = newidx;
		init_allocated_fb = true;
		mutex_unlock(&registration_lock);
		return ;
	}

	/* Allocate a new console-to-framebuffer mapping
	if we don't already have one */
	if (unit == -1)
		goto new_mapping;

	if (con2fb_map[unit] == newidx) {
		mutex_unlock(&registration_lock);
		return ;
	}

	/* New mapping index -- update the "con2fb_map" array */
	oldinfo = registered_fb[newidx];
	con2fb_map[unit] = newidx;

new_mapping:
	if (oldinfo) {
		/* Should release any old console mapping here */
	}
	mutex_unlock(&registration_lock);
	return ;
}

Exploit Details

The vulnerability exists due to an improper assignment made only for the first virtual console (vc). As a result, the fbcon_registered_fb and fbcon_display arrays become unsynchronized when calling fbcon_mode_deleted. This is because the con2fb_map points at the old fb_info.

An attacker with access to the system can potentially exploit this vulnerability by causing a desynchronization between the fbcon_registered_fb and fbcon_display arrays. This can lead to undefined behavior that could potentially crash the system or allow the attacker to execute arbitrary code with kernel-level privileges.

Mitigation

Updating the Linux kernel to version 6.2.12 or later will patch this vulnerability. The specific fix can be found in the following commit:

- Linux kernel commit 527a13e18c83558a05ae880fd5be5cbbd0293f6

Conclusion

This post outlined the CVE-2023-38409 vulnerability in the set_con2fb_map function in the Linux kernel, demonstrated the affected code snippet and discussed the exploit details. The vulnerability allows an attacker to cause a desynchronization between the fbcon_registered_fb and fbcon_display arrays, potentially leading to crashing the system or kernel-level arbitrary code execution. Updating the Linux kernel to version 6.2.12 or later will mitigate this issue.

Timeline

Published on: 07/17/2023 22:15:00 UTC
Last modified on: 07/27/2023 03:49:00 UTC