Linux Kernel Framebuffer Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Linux kernel's framebuffer (fbdev) subsystem. This issue arises in the 'do_register_framebuffer' function, specifically within the 'fb_add_videomode' call. If 'do_register_framebuffer' fails to allocate memory for the 'fb_videomode', it can lead to a null pointer dereference in 'fb_videomode_to_var'. The vulnerability occurs because the 'fb_info' is registered without the expected videomode in the modelist, leading to a general protection fault. This issue was discovered by the Linux Verification Center using Syzkaller.

Impact

Exploitation of this vulnerability causes a general protection fault due to a null pointer dereference, likely leading to a system crash.

Reproduction

The vulnerability can be reproduced by registering a framebuffer without a properly allocated videomode. This can be done by using the 'do_register_framebuffer' function in the framebuffer device driver, ensuring that the 'fb_videomode' allocation fails. The 'fbcon_init' function can then be called, which will trigger the 'fb_match_mode' check. Since the mode was not set correctly, this will result in a panic, although the 'fbcon_init' function does not return an error code, allowing the vulnerability to manifest.

Remediation

Users should update to the latest stable version of the Linux kernel where this vulnerability has been addressed.