CVE-2025-40323

Summary

In the Linux kernel, the following vulnerability has been resolved:

fbcon: Set fb_display[i]->mode to NULL when the mode is released

Recently, we discovered the following issue through syzkaller:

BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx … Call Trace: <TASK> dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps:

  1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1;
  2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP);
  3. Switch console from fb to VGA (to allow normal rmmod of the ko);
  4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[];
  5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0.

Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 39c2c1a2773aaf73e56906e5ef670114eb2d354faffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 4ac18f0e6a6d599ca751c4cd98e522afc8e3d4ebaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 468f78276a37f4c6499385a4ce28f4f57be6655daffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < c079d42f70109512eee49123a843be91d8fa133faffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < de89d19f4f30d9a8de87b9d08c1bd35cb70576d8affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < a1f3058930745d2b938b6b4f5bd9630dc74b26b7affected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux5.15.203 <= 5.15.*unaffected
LinuxLinux6.1.159 <= 6.1.*unaffected
LinuxLinux6.6.117 <= 6.6.*unaffected
LinuxLinux6.12.58 <= 6.12.*unaffected
LinuxLinux6.17.8 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References