ACK: [SRU][M][PATCH 0/1] CVE-2024-26798

Stefan Bader stefan.bader at canonical.com
Fri May 10 12:41:13 UTC 2024 

On 02.05.24 22:29, Bethany Jamison wrote:
> [Impact]
> 
>   In the Linux kernel, the following vulnerability has been resolved:
> 
>   fbcon: always restore the old font data in fbcon_do_set_font()
> 
>   Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when
>   vc_resize() failed) started restoring old font data upon failure (of
>   vc_resize()). But it performs so only for user fonts. It means that the
>   "system"/internal fonts are not restored at all. So in result, the very
>   first call to fbcon_do_set_font() performs no restore at all upon
>   failing vc_resize().
> 
>   This can be reproduced by Syzkaller to crash the system on the next
>   invocation of font_get(). It's rather hard to hit the allocation failure
>   in vc_resize() on the first font_set(), but not impossible. Esp. if
>   fault injection is used to aid the execution/failure. It was
>   demonstrated by Sirius:
>     BUG: unable to handle page fault for address: fffffffffffffff8
>     #PF: supervisor read access in kernel mode
>     #PF: error_code(0x0000) - not-present page
>     PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0
>     Oops: 0000 [#1] PREEMPT SMP KASAN
>     CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20
>     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>     RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286
>     Call Trace:
>      <TASK>
>      con_font_get drivers/tty/vt/vt.c:4558 [inline]
>      con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673
>      vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]
>      vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752
>      tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803
>      vfs_ioctl fs/ioctl.c:51 [inline]
>     ...
> 
>   So restore the font data in any case, not only for user fonts. Note the
>   later 'if' is now protected by 'old_userfont' and not 'old_data' as the
>   latter is always set now. (And it is supposed to be non-NULL. Otherwise
>   we would see the bug above again.)
> 
> [Fix]
> 
> Mantic:	Clean cherry-pick from linux-6.6.y
> Jammy:	pending
> Focal:	not-affected
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use the framework console (fbcon) driver, an
> issue with this fix would be visable to the user via a system crash.
> 
> Jiri Slaby (SUSE) (1):
>    fbcon: always restore the old font data in fbcon_do_set_font()
> 
>   drivers/video/fbdev/core/fbcon.c | 8 +++-----
>   1 file changed, 3 insertions(+), 5 deletions(-)
> 

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240510/3f085a9e/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240510/3f085a9e/attachment-0001.sig>

More information about the kernel-team mailing list