Linux Kernel Out-of-Bounds Write Vulnerability in DRM FBDEV Generic Handling

A vulnerability in the Linux kernel's Direct Rendering Manager (DRM) framebuffer device (FBDEV) generic handling can lead to out-of-bounds memory access. This issue arises because the FBDEV test in the Intel Graphics Test (IGT) suite may write past the end of a buffer, causing memory corruption for DRM drivers that use FBDEV generic support. The vulnerability has been observed on x86 platforms with AST2400 graphics, at a resolution of 1680x1050. The problem is caused by damage rectangles computed by the 'drm_fb_helper_memory_range_to_clip()' function, which can extend beyond the active display area. This miscalculation is due to buffers being allocated based on page size for memory-mapped I/O support, and an off-by-one error introduced by the 'DIV_ROUND_UP()' function. As a result, when the framebuffer is larger than the allocated memory, the 'memcpy_toio()' function can inadvertently access out-of-bounds memory, leading to a kernel crash.

Impact

Exploitation of this vulnerability causes a kernel panic, with the system hanging due to a memory access violation. The call trace indicates that the issue occurs during the processing of framebuffer damage updates, where the out-of-bounds access is triggered by the last line of a copied buffer exceeding the allocated memory.

Reproduction

To reproduce this vulnerability, run the FBDEV test from the Intel Graphics Test (IGT) suite on a Linux kernel that includes this vulnerability, on an x86 platform with AST2400 graphics. Set the display resolution to 1680x1050. The test will write past the end of a buffer, causing an out-of-bounds memory access that leads to a kernel panic.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version that includes this fix.