CVE-2024-26798
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/04/2024
Last modified:
06/02/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
fbcon: always restore the old font data in fbcon_do_set_font()<br />
<br />
Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when<br />
vc_resize() failed) started restoring old font data upon failure (of<br />
vc_resize()). But it performs so only for user fonts. It means that the<br />
"system"/internal fonts are not restored at all. So in result, the very<br />
first call to fbcon_do_set_font() performs no restore at all upon<br />
failing vc_resize().<br />
<br />
This can be reproduced by Syzkaller to crash the system on the next<br />
invocation of font_get(). It&#39;s rather hard to hit the allocation failure<br />
in vc_resize() on the first font_set(), but not impossible. Esp. if<br />
fault injection is used to aid the execution/failure. It was<br />
demonstrated by Sirius:<br />
BUG: unable to handle page fault for address: fffffffffffffff8<br />
#PF: supervisor read access in kernel mode<br />
#PF: error_code(0x0000) - not-present page<br />
PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0<br />
Oops: 0000 [#1] PREEMPT SMP KASAN<br />
CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br />
RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286<br />
Call Trace:<br />
<br />
con_font_get drivers/tty/vt/vt.c:4558 [inline]<br />
con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673<br />
vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]<br />
vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752<br />
tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803<br />
vfs_ioctl fs/ioctl.c:51 [inline]<br />
...<br />
<br />
So restore the font data in any case, not only for user fonts. Note the<br />
later &#39;if&#39; is now protected by &#39;old_userfont&#39; and not &#39;old_data&#39; as the<br />
latter is always set now. (And it is supposed to be non-NULL. Otherwise<br />
we would see the bug above again.)
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.64 (including) | 5.15.151 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.0 (including) | 6.1.81 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.21 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.7.9 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc6:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f
- https://git.kernel.org/stable/c/20a4b5214f7bee13c897477168c77bbf79683c3d
- https://git.kernel.org/stable/c/2f91a96b892fab2f2543b4a55740c5bee36b1a6b
- https://git.kernel.org/stable/c/73a6bd68a1342f3a44cac9dffad81ad6a003e520
- https://git.kernel.org/stable/c/a2c881413dcc5d801bdc9535e51270cc88cb9cd8
- https://git.kernel.org/stable/c/ae68f57df3335679653868fafccd8c88ef84ae98
- https://git.kernel.org/stable/c/00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f
- https://git.kernel.org/stable/c/20a4b5214f7bee13c897477168c77bbf79683c3d
- https://git.kernel.org/stable/c/2f91a96b892fab2f2543b4a55740c5bee36b1a6b
- https://git.kernel.org/stable/c/73a6bd68a1342f3a44cac9dffad81ad6a003e520
- https://git.kernel.org/stable/c/a2c881413dcc5d801bdc9535e51270cc88cb9cd8