Re: [CVE-2020-14331] Linux Kernel: buffer over write in vgacon_scrollback_update

[Eric Biggers <ebiggers () kernel org>]

On Tue, Jul 28, 2020 at 11:16:55AM +0800, 张云海 wrote:
> There is a buffer over write in drivers/video/console/vgacon.c in
> vgacon_scrollback_update.
>
> The issue is reported by Yunhai Zhang / NSFOCUS Security Team
> <zhangyunhai () nsfocus com>, CVE-2020-14331 assigned via Red Hat.
>
> # Affected Versions
> The issue is found and tested on 5.7.0-rc6.
> The issue is introduced in commit:
> 15bdab959c9bb909c0317480dd9b35748a8f7887 ([PATCH] vgacon: Add support
> for soft scrollback)
> According to code review, all versions older than
> 92ed301919932f777713b9172e525674157e983d (v5.8-rc7) are affected.

Thanks for the writeup.  Note that there are many open syzbot reports in the
fbdev, vt, and vgacon kernel subsystems.  These subsystems aren't actively
maintained (receiving drive-by fixes only), and the kernel developers recommend
to not enable these subsystems if you care about security
(https://lkml.kernel.org/lkml/CAKMK7uF5zZH3CaHueWsLR96-AzT==wP8=MpymTqx-T+SRsXWHA () mail gmail com/).

This particular bug, for example, appears to have been already found by someone
running syzkaller and publicly reported over 2 years ago, with a C reproducer:
(https://lkml.kernel.org/lkml/CAEAjamsJnG-=TSOwgRbbb3B9Z-PA63oWmNPoKYWQ=Z=+X49akg () mail gmail com/).
No one did anything.

I suggest that people relying on the security of these kernel subsystems
contribute resources to fixing the many known fuzzing bugs in them.

- Eric