Linux Kernel Buffer Overflow Vulnerability in Framebuffer Registration

A buffer overflow vulnerability has been identified in the Linux kernel's framebuffer registration process. This issue arises in the framebuffer device (fbdev) subsystem, specifically within the 'do_register_framebuffer' function'. The vulnerability can occur when unregistration creates NULL gaps in the registered framebuffer array, leading to an improper registration loop that exceeds the array bounds. The problem is exacerbated when all array slots are filled, yet the count of registered framebuffers is below the maximum limit.

Impact

Exploitation of this vulnerability can lead to a buffer overflow, which may allow for arbitrary code execution or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a scenario where framebuffer unregistration leaves NULL gaps in the 'registered_fb' array. This can be done by manually unregistering framebuffers in a way that does not properly clean up the array. Once the NULL gaps are created, the 'do_register_framebuffer' function can be called to register a new framebuffer. If all array slots are occupied but the count of registered framebuffers is still below the maximum limit, the registration loop will exceed the array bounds, causing a buffer overflow.

Remediation

The vulnerability has been addressed by adding boundary checks to the 'do_register_framebuffer' function. Users should upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.