| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120820-CVE-2025-40304-47b3@gregkh> Date: Mon, 8 Dec 2025 09:47:28 +0900 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40304: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes. The Linux kernel CVE team has assigned CVE-2025-40304 to this issue. Affected and fixed versions =========================== Fixed in 5.4.302 with commit 996bfaa7372d6718b6d860bdf78f6618e850c702 Fixed in 5.10.247 with commit f0982400648a3e00580253e0c48e991f34d2684c Fixed in 5.15.197 with commit 1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1 Fixed in 6.1.159 with commit ebc0730b490c7f27340b1222e01dd106e820320d Fixed in 6.6.117 with commit 86df8ade88d290725554cefd03101ecd0fbd3752 Fixed in 6.12.58 with commit 15ba9acafb0517f8359ca30002c189a68ddbb939 Fixed in 6.17.8 with commit 2d1359e11674ed4274934eac8a71877ae5ae7bbb Fixed in 6.18 with commit 3637d34b35b287ab830e66048841ace404382b67 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40304 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/video/fbdev/core/bitblit.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/996bfaa7372d6718b6d860bdf78f6618e850c702 https://git.kernel.org/stable/c/f0982400648a3e00580253e0c48e991f34d2684c https://git.kernel.org/stable/c/1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1 https://git.kernel.org/stable/c/ebc0730b490c7f27340b1222e01dd106e820320d https://git.kernel.org/stable/c/86df8ade88d290725554cefd03101ecd0fbd3752 https://git.kernel.org/stable/c/15ba9acafb0517f8359ca30002c189a68ddbb939 https://git.kernel.org/stable/c/2d1359e11674ed4274934eac8a71877ae5ae7bbb https://git.kernel.org/stable/c/3637d34b35b287ab830e66048841ace404382b67
Powered by blists - more mailing lists