CVE-2024-50048

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbcon: Fix a NULL pointer dereference issue in fbcon_putcs<br /> <br /> syzbot has found a NULL pointer dereference bug in fbcon.<br /> Here is the simplified C reproducer:<br /> <br /> struct param {<br /> uint8_t type;<br /> struct tiocl_selection ts;<br /> };<br /> <br /> int main()<br /> {<br /> struct fb_con2fbmap con2fb;<br /> struct param param;<br /> <br /> int fd = open("/dev/fb1", 0, 0);<br /> <br /> con2fb.console = 0x19;<br /> con2fb.framebuffer = 0;<br /> ioctl(fd, FBIOPUT_CON2FBMAP, &amp;con2fb);<br /> <br /> param.type = 2;<br /> param.ts.xs = 0; param.ts.ys = 0;<br /> param.ts.xe = 0; param.ts.ye = 0;<br /> param.ts.sel_mode = 0;<br /> <br /> int fd1 = open("/dev/tty1", O_RDWR, 0);<br /> ioctl(fd1, TIOCLINUX, &amp;param);<br /> <br /> con2fb.console = 1;<br /> con2fb.framebuffer = 0;<br /> ioctl(fd, FBIOPUT_CON2FBMAP, &amp;con2fb);<br /> <br /> return 0;<br /> }<br /> <br /> After calling ioctl(fd1, TIOCLINUX, &amp;param), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &amp;con2fb)<br /> causes the kernel to follow a different execution path:<br /> <br /> set_con2fb_map<br /> -&gt; con2fb_init_display<br /> -&gt; fbcon_set_disp<br /> -&gt; redraw_screen<br /> -&gt; hide_cursor<br /> -&gt; clear_selection<br /> -&gt; highlight<br /> -&gt; invert_screen<br /> -&gt; do_update_region<br /> -&gt; fbcon_putcs<br /> -&gt; ops-&gt;putcs<br /> <br /> Since ops-&gt;putcs is a NULL pointer, this leads to a kernel panic.<br /> To prevent this, we need to call set_blitting_type() within set_con2fb_map()<br /> to properly initialize ops-&gt;putcs.