CVE-2024-50048: fbcon: Fix a NULL pointer dereference issue in fbcon_putcs
First published: Mon Oct 21 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: fbcon: Fix a NULL pointer dereference issue in fbcon_putcs syzbot has found a NULL pointer dereference bug in fbcon. Here is the simplified C reproducer: struct param { uint8_t type; struct tiocl_selection ts; }; int main() { struct fb_con2fbmap con2fb; struct param param; int fd = open("/dev/fb1", 0, 0); con2fb.console = 0x19; con2fb.framebuffer = 0; ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb); param.type = 2; param.ts.xs = 0; param.ts.ys = 0; param.ts.xe = 0; param.ts.ye = 0; param.ts.sel_mode = 0; int fd1 = open("/dev/tty1", O_RDWR, 0); ioctl(fd1, TIOCLINUX, ¶m); con2fb.console = 1; con2fb.framebuffer = 0; ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb); return 0; } After calling ioctl(fd1, TIOCLINUX, ¶m), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb) causes the kernel to follow a different execution path: set_con2fb_map -> con2fb_init_display -> fbcon_set_disp -> redraw_screen -> hide_cursor -> clear_selection -> highlight -> invert_screen -> do_update_region -> fbcon_putcs -> ops->putcs Since ops->putcs is a NULL pointer, this leads to a kernel panic. To prevent this, we need to call set_blitting_type() within set_con2fb_map() to properly initialize ops->putcs.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | <6.1.113 | |
| Linux Kernel | >=6.2<6.6.57 | |
| Linux Kernel | >=6.7<6.11.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/8266ae6eafdcd5a3136592445ff4038bbc7ee80e
- https://git.kernel.org/stable/c/f7fb5dda555344529ce584ff7a28b109528d2f1b
- https://git.kernel.org/stable/c/e5c2dba62996a3a6eeb34bd248b90fc69c5a6a1b
- https://git.kernel.org/stable/c/5b97eebcce1b4f3f07a71f635d6aa3af96c236e7
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50048
- https://nvd.nist.gov/vuln/detail/CVE-2024-50048
- https://launchpad.net/bugs/cve/CVE-2024-50048
- https://security-tracker.debian.org/tracker/CVE-2024-50048
- https://ubuntu.com/security/CVE-2024-50048
Frequently Asked Questions
What is the severity of CVE-2024-50048?
CVE-2024-50048 is classified as a high severity vulnerability due to the potential for a NULL pointer dereference leading to a system crash.
Who is affected by CVE-2024-50048?
CVE-2024-50048 affects versions of the Linux kernel from 6.1.113 to 6.11.4 and between 6.2 and 6.6.57.
How do I fix CVE-2024-50048?
To fix CVE-2024-50048, update the Linux kernel to a version that is not vulnerable, specifically beyond the stated affected versions.
What causes CVE-2024-50048?
CVE-2024-50048 is caused by a NULL pointer dereference issue found in the framebuffer console (fbcon) functionality.
Can CVE-2024-50048 be exploited remotely?
CVE-2024-50048 is not explicitly stated as remotely exploitable, but it may be leveraged by local users for denial of service.
- agent/title
- agent/references
- agent/description
- agent/first-publish-date
- agent/type
- agent/author
- agent/event
- agent/remedy
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/usn-cve
- source/Ubuntu
- collector/launchpad-cve
- source/Launchpad
- vendor/linux
- canonical/linux kernel
- version/linux kernel/6.2
- version/linux kernel/6.7