NULL Pointer Dereference Affecting kernel-debug-core package, versions *

Note: Versions mentioned in the description apply only to the upstream kernel-debug-core package and not the kernel-debug-core package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

fbcon: Fix a NULL pointer dereference issue in fbcon_putcs

syzbot has found a NULL pointer dereference bug in fbcon. Here is the simplified C reproducer:

struct param { uint8_t type; struct tiocl_selection ts; };

int main() { struct fb_con2fbmap con2fb; struct param param;

int fd = open("/dev/fb1", 0, 0);

con2fb.console = 0x19;
con2fb.framebuffer = 0;
ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);
param.type = 2;
param.ts.xs = 0; param.ts.ys = 0;
param.ts.xe = 0; param.ts.ye = 0;
param.ts.sel_mode = 0;
int fd1 = open("/dev/tty1", O_RDWR, 0);
ioctl(fd1, TIOCLINUX, &param);
con2fb.console = 1;
con2fb.framebuffer = 0;
ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);
return 0;

}

After calling ioctl(fd1, TIOCLINUX, &param), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb) causes the kernel to follow a different execution path:

set_con2fb_map -> con2fb_init_display -> fbcon_set_disp -> redraw_screen -> hide_cursor -> clear_selection -> highlight -> invert_screen -> do_update_region -> fbcon_putcs -> ops->putcs

Since ops->putcs is a NULL pointer, this leads to a kernel panic. To prevent this, we need to call set_blitting_type() within set_con2fb_map() to properly initialize ops->putcs.

• https://access.redhat.com/security/cve/CVE-2024-50048
• https://git.kernel.org/stable/c/5b97eebcce1b4f3f07a71f635d6aa3af96c236e7
• https://git.kernel.org/stable/c/8266ae6eafdcd5a3136592445ff4038bbc7ee80e
• https://git.kernel.org/stable/c/e5c2dba62996a3a6eeb34bd248b90fc69c5a6a1b
• https://git.kernel.org/stable/c/f7fb5dda555344529ce584ff7a28b109528d2f1b