CVE-2025-68296

Summary

In the Linux kernel, the following vulnerability has been resolved:

drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup

Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB access in fbcon_remap_all(). Without holding the console lock the call races with switching outputs.

VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon function uses struct fb_info.node, which is set by register_framebuffer(). As the fb-helper code currently sets up VGA switcheroo before registering the framebuffer, the value of node is -1 and therefore not a legal value. For example, fbcon uses the value within set_con2fb_map() [1] as an index into an array.

Moving vga_switcheroo_client_fb_set() after register_framebuffer() can result in VGA switching that does not switch fbcon correctly.

Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(), which already holds the console lock. Fbdev calls fbcon_fb_registered() from within register_framebuffer(). Serializes the helper with VGA switcheroo's call to fbcon_remap_all().

Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info as parameter, it really only needs the contained fbcon state. Moving the call to fbcon initialization is therefore cleaner than before. Only amdgpu, i915, nouveau and radeon support vga_switcheroo. For all other drivers, this change does nothing.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux6a9ee8af344e3bd7dbd61e67037096cdf7f83289 < 711ebd961190def4c69ea24b2f0be75e995af24aaffected
LinuxLinux6a9ee8af344e3bd7dbd61e67037096cdf7f83289 < 482330f8261b4bea8146d9bd69c1199e5dfcbb5caffected
LinuxLinux6a9ee8af344e3bd7dbd61e67037096cdf7f83289 < 05814c389b53d2f3a0b9eeb90ba7a05ba77c4c2aaffected
LinuxLinux6a9ee8af344e3bd7dbd61e67037096cdf7f83289 < eb76d0f5553575599561010f24c277cc5b31d003affected
LinuxLinux2.6.34affected
LinuxLinux0 < 2.6.34unaffected
LinuxLinux6.6.143 <= 6.6.*unaffected
LinuxLinux6.12.61 <= 6.12.*unaffected
LinuxLinux6.17.11 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References