[SRU Groovy,Focal/linux-oem-5.6] CVE-2020-28974
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Thu Dec 3 21:23:45 UTC 2020
[Impact]
Slab OOB read because of VT font manipulation.
[Test case]
The ioctl is gone now, returning EINVAL.
copyfont.c:
#include <linux/kd.h>
#include <sys/ioctl.h>
int main(){struct console_font_op op = {.op = KD_FONT_OP_COPY, }; return ioctl(1, KDFONTOP, &op); }
strace -eioctl ./copyfont > /dev/tty8
[Regression potential]
Some versions of systemd supported such ioctl for a time, but it ignored the
ioctl result, it seems.
This has been backported to other series, though.
More information about the kernel-team
mailing list