cve/published/2024/CVE-2024-26798.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26798: fbcon: always restore the old font data in fbcon_do_set_font()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 fbcon: always restore the old font data in fbcon_do_set_font()

 Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when
 vc_resize() failed) started restoring old font data upon failure (of
 vc_resize()). But it performs so only for user fonts. It means that the
 "system"/internal fonts are not restored at all. So in result, the very
 first call to fbcon_do_set_font() performs no restore at all upon
 failing vc_resize().

 This can be reproduced by Syzkaller to crash the system on the next
 invocation of font_get(). It's rather hard to hit the allocation failure
 in vc_resize() on the first font_set(), but not impossible. Esp. if
 fault injection is used to aid the execution/failure. It was
 demonstrated by Sirius:
   BUG: unable to handle page fault for address: fffffffffffffff8
   #PF: supervisor read access in kernel mode
   #PF: error_code(0x0000) - not-present page
   PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0
   Oops: 0000 [#1] PREEMPT SMP KASAN
   CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20
   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
   RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286
   Call Trace:
    <TASK>
    con_font_get drivers/tty/vt/vt.c:4558 [inline]
    con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673
    vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]
    vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752
    tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803
    vfs_ioctl fs/ioctl.c:51 [inline]
   ...

 So restore the font data in any case, not only for user fonts. Note the
 later 'if' is now protected by 'old_userfont' and not 'old_data' as the
 latter is always set now. (And it is supposed to be non-NULL. Otherwise
 we would see the bug above again.)

 The Linux kernel CVE team has assigned CVE-2024-26798 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15.64 with commit ebd6f886aa2447fcfcdce5450c9e1028e1d681bb and fixed in 5.15.151 with commit 20a4b5214f7bee13c897477168c77bbf79683c3d
 	Issue introduced in 6.0 with commit a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 and fixed in 6.1.81 with commit 2f91a96b892fab2f2543b4a55740c5bee36b1a6b
 	Issue introduced in 6.0 with commit a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 and fixed in 6.6.21 with commit 73a6bd68a1342f3a44cac9dffad81ad6a003e520
 	Issue introduced in 6.0 with commit a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 and fixed in 6.7.9 with commit a2c881413dcc5d801bdc9535e51270cc88cb9cd8
 	Issue introduced in 6.0 with commit a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 and fixed in 6.8 with commit 00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f
 	Issue introduced in 5.19.6 with commit f08ccb792d3eaf1dc62d8cbf6a30d6522329f660

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26798
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/video/fbdev/core/fbcon.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/20a4b5214f7bee13c897477168c77bbf79683c3d
 	https://git.kernel.org/stable/c/2f91a96b892fab2f2543b4a55740c5bee36b1a6b
 	https://git.kernel.org/stable/c/73a6bd68a1342f3a44cac9dffad81ad6a003e520
 	https://git.kernel.org/stable/c/a2c881413dcc5d801bdc9535e51270cc88cb9cd8
 	https://git.kernel.org/stable/c/00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26798: fbcon: always restore the old font data in fbcon_do_set_font()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	fbcon: always restore the old font data in fbcon_do_set_font()

	Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when
	vc_resize() failed) started restoring old font data upon failure (of
	vc_resize()). But it performs so only for user fonts. It means that the
	"system"/internal fonts are not restored at all. So in result, the very
	first call to fbcon_do_set_font() performs no restore at all upon
	failing vc_resize().

	This can be reproduced by Syzkaller to crash the system on the next
	invocation of font_get(). It's rather hard to hit the allocation failure
	in vc_resize() on the first font_set(), but not impossible. Esp. if
	fault injection is used to aid the execution/failure. It was
	demonstrated by Sirius:
	BUG: unable to handle page fault for address: fffffffffffffff8
	#PF: supervisor read access in kernel mode
	#PF: error_code(0x0000) - not-present page
	PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0
	Oops: 0000 [#1] PREEMPT SMP KASAN
	CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
	RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286
	Call Trace:
	<TASK>
	con_font_get drivers/tty/vt/vt.c:4558 [inline]
	con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673
	vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]
	vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752
	tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803
	vfs_ioctl fs/ioctl.c:51 [inline]
	...

	So restore the font data in any case, not only for user fonts. Note the
	later 'if' is now protected by 'old_userfont' and not 'old_data' as the
	latter is always set now. (And it is supposed to be non-NULL. Otherwise
	we would see the bug above again.)

	The Linux kernel CVE team has assigned CVE-2024-26798 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15.64 with commit ebd6f886aa2447fcfcdce5450c9e1028e1d681bb and fixed in 5.15.151 with commit 20a4b5214f7bee13c897477168c77bbf79683c3d
	Issue introduced in 6.0 with commit a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 and fixed in 6.1.81 with commit 2f91a96b892fab2f2543b4a55740c5bee36b1a6b
	Issue introduced in 6.0 with commit a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 and fixed in 6.6.21 with commit 73a6bd68a1342f3a44cac9dffad81ad6a003e520
	Issue introduced in 6.0 with commit a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 and fixed in 6.7.9 with commit a2c881413dcc5d801bdc9535e51270cc88cb9cd8
	Issue introduced in 6.0 with commit a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 and fixed in 6.8 with commit 00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f
	Issue introduced in 5.19.6 with commit f08ccb792d3eaf1dc62d8cbf6a30d6522329f660

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26798
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/video/fbdev/core/fbcon.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/20a4b5214f7bee13c897477168c77bbf79683c3d
	https://git.kernel.org/stable/c/2f91a96b892fab2f2543b4a55740c5bee36b1a6b
	https://git.kernel.org/stable/c/73a6bd68a1342f3a44cac9dffad81ad6a003e520
	https://git.kernel.org/stable/c/a2c881413dcc5d801bdc9535e51270cc88cb9cd8
	https://git.kernel.org/stable/c/00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f