Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

None

Privileges Required

Low

Attack Vector

Local

CVE-2024-50048

Disclosure Date: October 21, 2024 •

CVE-2024-50048 CVSS v3 Base Score: 5.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

fbcon: Fix a NULL pointer dereference issue in fbcon_putcs

syzbot has found a NULL pointer dereference bug in fbcon.
Here is the simplified C reproducer:

struct param {

uint8_t type;
struct tiocl_selection ts;

};

int main()
{

struct fb_con2fbmap con2fb;
struct param param;

int fd = open("/dev/fb1", 0, 0);

con2fb.console = 0x19;
con2fb.framebuffer = 0;
ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);

param.type = 2;
param.ts.xs = 0; param.ts.ys = 0;
param.ts.xe = 0; param.ts.ye = 0;
param.ts.sel_mode = 0;

int fd1 = open("/dev/tty1", O_RDWR, 0);
ioctl(fd1, TIOCLINUX, &param);

con2fb.console = 1;
con2fb.framebuffer = 0;
ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);

return 0;

}

After calling ioctl(fd1, TIOCLINUX, &param), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb)
causes the kernel to follow a different execution path:

set_con2fb_map
–> con2fb_init_display
–> fbcon_set_disp

-> redraw_screen
 -> hide_cursor
  -> clear_selection
   -> highlight
    -> invert_screen
     -> do_update_region
      -> fbcon_putcs
       -> ops->putcs

Since ops->putcs is a NULL pointer, this leads to a kernel panic.
To prevent this, we need to call set_blitting_type() within set_con2fb_map()
to properly initialize ops->putcs.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.5 Medium

Impact Score:

3.6

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

None

Availability (A):

High

Vendors

linux

Products

linux kernel

References

Canonical

CVE-2024-50048 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50048)

Miscellaneous

https://git.kernel.org/stable/c/8266ae6eafdcd5a3136592445ff4038bbc7ee80e

https://git.kernel.org/stable/c/f7fb5dda555344529ce584ff7a28b109528d2f1b

https://git.kernel.org/stable/c/e5c2dba62996a3a6eeb34bd248b90fc69c5a6a1b

https://git.kernel.org/stable/c/5b97eebcce1b4f3f07a71f635d6aa3af96c236e7

Rapid7

Unknown

CVE-2024-50048

Unknown

Unknown

None

Low

Local

CVE-2024-50048

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2024-50048

Unknown

Unknown

None

Low

Local

CVE-2024-50048

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification