Linux Kernel Framebuffer Use-After-Free Vulnerability in fbcon Component

A use-after-free vulnerability has been identified in the Linux kernel's framebuffer console (fbcon) component. This issue arises during the unregistration of framebuffer devices, where the memory for the framebuffer's mode list is freed without properly nullifying the corresponding entries in the global display array. As a result, subsequent access to these entries can lead to undefined behavior. The vulnerability was discovered using the syzkaller fuzzer, which triggered a slab-use-after-free error by attempting to delete a mode from a framebuffer that had already been unregistered.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

1. Ensure that /dev/fb0 is registered on the system. 2. Load a kernel module that registers a new framebuffer device, /dev/fb1. 3. Set fb1's mode to the global fb_display array using the FBIOPUT_CON2FBMAP ioctl. 4. Switch the console from framebuffer to VGA, which allows for the normal removal of the kernel module. 5. Unload the kernel module. At this point, fb1's mode list is freed, but the corresponding entry in fb_display remains a dangling pointer. 6. Trigger the vulnerability by using fb0 to delete a mode, which will access the freed memory.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version available in the Linux kernel stable tree.