CVE-2025-40323
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbcon: Set fb_display[i]->mode to NULL when the mode is released
Recently, we discovered the following issue through syzkaller:
BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx … Call Trace: <TASK> dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps:
- With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1;
- Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP);
- Switch console from fb to VGA (to allow normal rmmod of the ko);
- Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[];
- Trigger the bug via system calls through fb0 attempting to delete a mode from fb0.
Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 39c2c1a2773aaf73e56906e5ef670114eb2d354f | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 468f78276a37f4c6499385a4ce28f4f57be6655d | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < c079d42f70109512eee49123a843be91d8fa133f | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < de89d19f4f30d9a8de87b9d08c1bd35cb70576d8 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < a1f3058930745d2b938b6b4f5bd9630dc74b26b7 | affected |
| Linux | Linux | 2.6.12 | affected |
| Linux | Linux | 0 < 2.6.12 | unaffected |
| Linux | Linux | 5.15.203 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.159 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.117 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.58 <= 6.12.* | unaffected |
| Linux | Linux | 6.17.8 <= 6.17.* | unaffected |
| Linux | Linux | 6.18 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/39c2c1a2773aaf73e56906e5ef670114eb2d354f
- https://git.kernel.org/stable/c/4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb
- https://git.kernel.org/stable/c/468f78276a37f4c6499385a4ce28f4f57be6655d
- https://git.kernel.org/stable/c/c079d42f70109512eee49123a843be91d8fa133f
- https://git.kernel.org/stable/c/de89d19f4f30d9a8de87b9d08c1bd35cb70576d8
- https://git.kernel.org/stable/c/a1f3058930745d2b938b6b4f5bd9630dc74b26b7
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.