We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-26798

fbcon: always restore the old font data in fbcon_do_set_font()



Description

In the Linux kernel, the following vulnerability has been resolved: fbcon: always restore the old font data in fbcon_do_set_font() Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the "system"/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize(). This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It's rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. Esp. if fault injection is used to aid the execution/failure. It was demonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: <TASK> con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ... So restore the font data in any case, not only for user fonts. Note the later 'if' is now protected by 'old_userfont' and not 'old_data' as the latter is always set now. (And it is supposed to be non-NULL. Otherwise we would see the bug above again.)

Reserved 2024-02-19 | Published 2024-04-04 | Updated 2024-12-19 | Assigner Linux

Product status

Default status
unaffected

ebd6f886aa2447fcfcdce5450c9e1028e1d681bb before 20a4b5214f7bee13c897477168c77bbf79683c3d
affected

a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 before 2f91a96b892fab2f2543b4a55740c5bee36b1a6b
affected

a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 before 73a6bd68a1342f3a44cac9dffad81ad6a003e520
affected

a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 before a2c881413dcc5d801bdc9535e51270cc88cb9cd8
affected

a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 before 00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f
affected

Default status
affected

6.0
affected

Any version before 6.0
unaffected

5.15.151
unaffected

6.1.81
unaffected

6.6.21
unaffected

6.7.9
unaffected

6.8
unaffected

References

git.kernel.org/...c/20a4b5214f7bee13c897477168c77bbf79683c3d

git.kernel.org/...c/2f91a96b892fab2f2543b4a55740c5bee36b1a6b

git.kernel.org/...c/73a6bd68a1342f3a44cac9dffad81ad6a003e520

git.kernel.org/...c/a2c881413dcc5d801bdc9535e51270cc88cb9cd8

git.kernel.org/...c/00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f

cve.org (CVE-2024-26798)

nvd.nist.gov (CVE-2024-26798)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-26798

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.