Linux Kernel Hyper-V Framebuffer Driver Kdump Hang Vulnerability

A vulnerability in the Linux kernel's framebuffer handling on Hyper-V Generation 2 virtual machines can cause the kdump kernel to hang. This issue arises when the hyperv_fb driver moves the framebuffer to a different memory-mapped I/O address due to conflicts with other framebuffer drivers. When the kdump kernel is loaded, it uses the original framebuffer address, which may no longer be valid, leading to a hang as the system repeatedly accesses a non-existent framebuffer. This problem was introduced by a recent commit that reverted a previous fix, and it does not affect the hyperv_drm driver, which manages framebuffers differently.

Impact

Exiting the kdump kernel can hang the system, making it appear unresponsive or causing it to run very slowly.

Reproduction

The vulnerability can be reproduced by booting a Hyper-V Gen 2 VM with a standard EFI framebuffer. When the kdump kernel is loaded via the kexec_file_load() system call, the hyperv_fb driver may have already moved the framebuffer to a different MMIO address, creating a conflict. The kdump kernel then accesses a non-existent framebuffer address, leading to a hang.

Remediation

The vulnerability has been addressed by modifying the hyperv_fb driver to remove conflicting framebuffers before allocating a new MMIO address, ensuring that the kdump kernel always receives the correct framebuffer location.