5.5
CVE-2024-50048
- EPSS 0.25%
- Veröffentlicht 21.10.2024 20:15:17
- Zuletzt bearbeitet 03.11.2025 23:16:45
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
fbcon: Fix a NULL pointer dereference issue in fbcon_putcs
In the Linux kernel, the following vulnerability has been resolved:
fbcon: Fix a NULL pointer dereference issue in fbcon_putcs
syzbot has found a NULL pointer dereference bug in fbcon.
Here is the simplified C reproducer:
struct param {
uint8_t type;
struct tiocl_selection ts;
};
int main()
{
struct fb_con2fbmap con2fb;
struct param param;
int fd = open("/dev/fb1", 0, 0);
con2fb.console = 0x19;
con2fb.framebuffer = 0;
ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);
param.type = 2;
param.ts.xs = 0; param.ts.ys = 0;
param.ts.xe = 0; param.ts.ye = 0;
param.ts.sel_mode = 0;
int fd1 = open("/dev/tty1", O_RDWR, 0);
ioctl(fd1, TIOCLINUX, ¶m);
con2fb.console = 1;
con2fb.framebuffer = 0;
ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);
return 0;
}
After calling ioctl(fd1, TIOCLINUX, ¶m), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb)
causes the kernel to follow a different execution path:
set_con2fb_map
-> con2fb_init_display
-> fbcon_set_disp
-> redraw_screen
-> hide_cursor
-> clear_selection
-> highlight
-> invert_screen
-> do_update_region
-> fbcon_putcs
-> ops->putcs
Since ops->putcs is a NULL pointer, this leads to a kernel panic.
To prevent this, we need to call set_blitting_type() within set_con2fb_map()
to properly initialize ops->putcs.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version < 6.1.113
Linux ≫ Linux Kernel Version >= 6.2 < 6.6.57
Linux ≫ Linux Kernel Version >= 6.7 < 6.11.4
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.25% | 0.158 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-476 NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.
https://git.kernel.org/stable/c/5b97eebcce1b4f3f07a71f635d6aa3af96c236e7
https://git.kernel.org/stable/c/8266ae6eafdcd5a3136592445ff4038bbc7ee80e
https://git.kernel.org/stable/c/e5c2dba62996a3a6eeb34bd248b90fc69c5a6a1b
https://git.kernel.org/stable/c/f7fb5dda555344529ce584ff7a28b109528d2f1b
https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html