Linux Kernel Vmalloc Out-of-Bounds Write Vulnerability in Fbdev Fast_Imageblit

A vulnerability allowing a vmalloc out-of-bounds write has been identified in the Linux kernel's framebuffer (fbdev) subsystem, specifically in the fast_imageblit function. This issue arises when a userspace program issues an ioctl FBIOPUT_CON2FBMAP, providing a console number and a framebuffer number. The vulnerability occurs because the operation attempts to resize the console based on framebuffer information. If this resizing fails and the process continues, the console and new framebuffer are improperly mapped. As a result, the display variables are updated with references to the invalid framebuffer, leading to an out-of-bounds write in the fast_imageblit function. This flaw is triggered when the foreground console matches the requested visible console, causing the screen to be updated with invalid data references.

Impact

Exploitation of this vulnerability results in a vmalloc out-of-bounds write, which can potentially lead to memory corruption.

Reproduction

To reproduce this vulnerability, a userspace program must send an ioctl FBIOPUT_CON2FBMAP request with a valid console number and framebuffer number. The console number must correspond to a visible console. The operation will then attempt to resize the console based on the provided framebuffer information. If the resizing fails but the process continues, the vulnerability will be triggered, causing an out-of-bounds write in the fast_imageblit function.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux Kernel Git Repository.