CVE-2024-50048
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-50048
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50048.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-50048
- Downstream
- Related
- Published
- 2024-10-21T20:15:17Z
- Modified
- 2025-08-09T19:01:28Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
fbcon: Fix a NULL pointer dereference issue in fbcon_putcs
syzbot has found a NULL pointer dereference bug in fbcon. Here is the simplified C reproducer:
struct param { uint8t type; struct tioclselection ts; };
int main() { struct fb_con2fbmap con2fb; struct param param;
int fd = open("/dev/fb1", 0, 0); con2fb.console = 0x19; con2fb.framebuffer = 0; ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb); param.type = 2; param.ts.xs = 0; param.ts.ys = 0; param.ts.xe = 0; param.ts.ye = 0; param.ts.sel_mode = 0; int fd1 = open("/dev/tty1", O_RDWR, 0); ioctl(fd1, TIOCLINUX, ¶m); con2fb.console = 1; con2fb.framebuffer = 0; ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb); return 0;}
After calling ioctl(fd1, TIOCLINUX, ¶m), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb) causes the kernel to follow a different execution path:
setcon2fbmap -> con2fbinitdisplay -> fbconsetdisp -> redrawscreen -> hidecursor -> clearselection -> highlight -> invertscreen -> doupdateregion -> fbcon_putcs -> ops->putcs
Since ops->putcs is a NULL pointer, this leads to a kernel panic. To prevent this, we need to call setblittingtype() within setcon2fbmap() to properly initialize ops->putcs.
- References