Linux Kernel Unicode Buffer Management Vulnerability in Virtual Terminal Driver

A vulnerability in the Linux kernel's virtual terminal (VT) driver can lead to out-of-bounds memory access, causing a kernel oops. This issue arises when the console is resized while in an alternate screen mode, leading to a mismatch between the dimensions of the Unicode buffer and the actual console size. The problem occurs in the VT driver when the 'enter_alt_screen' function saves the current Unicode line data and then a console resize operation is performed. The resize operation skips reallocating the Unicode buffer because the pointer to the current buffer is set to NULL. However, the saved pointer still points to the old buffer, which can no longer accommodate the current dimensions. As a result, any operation that clears the screen using the current dimensions will access memory beyond the allocated buffer, causing a page fault and a kernel oops. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a kernel oops, which is a serious error indicating that the kernel has encountered a problem it cannot handle, often leading to a system crash.

Reproduction

To reproduce this vulnerability, first enter an alternate screen mode in a virtual terminal. Then, resize the console, which will cause the Unicode buffer management to fail. After resizing, perform an operation that clears the screen using the current dimensions. This will trigger the out-of-bounds memory access, causing a page fault and a kernel oops.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version of the stable Linux kernel to address this issue.