CVE-2025-40323

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbcon: Set fb_display[i]-&gt;mode to NULL when the mode is released<br /> <br /> Recently, we discovered the following issue through syzkaller:<br /> <br /> BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0<br /> Read of size 4 at addr ff11000001b3c69c by task syz.xxx<br /> ...<br /> Call Trace:<br /> <br /> dump_stack_lvl+0xab/0xe0<br /> print_address_description.constprop.0+0x2c/0x390<br /> print_report+0xb9/0x280<br /> kasan_report+0xb8/0xf0<br /> fb_mode_is_equal+0x285/0x2f0<br /> fbcon_mode_deleted+0x129/0x180<br /> fb_set_var+0xe7f/0x11d0<br /> do_fb_ioctl+0x6a0/0x750<br /> fb_ioctl+0xe0/0x140<br /> __x64_sys_ioctl+0x193/0x210<br /> do_syscall_64+0x5f/0x9c0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Based on experimentation and analysis, during framebuffer unregistration,<br /> only the memory of fb_info-&gt;modelist is freed, without setting the<br /> corresponding fb_display[i]-&gt;mode to NULL for the freed modes. This leads<br /> to UAF issues during subsequent accesses. Here&amp;#39;s an example of reproduction<br /> steps:<br /> 1. With /dev/fb0 already registered in the system, load a kernel module<br /> to register a new device /dev/fb1;<br /> 2. Set fb1&amp;#39;s mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP);<br /> 3. Switch console from fb to VGA (to allow normal rmmod of the ko);<br /> 4. Unload the kernel module, at this point fb1&amp;#39;s modelist is freed, leaving<br /> a wild pointer in fb_display[];<br /> 5. Trigger the bug via system calls through fb0 attempting to delete a mode<br /> from fb0.<br /> <br /> Add a check in do_unregister_framebuffer(): if the mode to be freed exists<br /> in fb_display[], set the corresponding mode pointer to NULL.