CVE-2024-50048

In the Linux kernel, the following vulnerability has been resolved:

fbcon: Fix a NULL pointer dereference issue in fbcon_putcs

syzbot has found a NULL pointer dereference bug in fbcon. Here is the simplified C reproducer:

struct param { uint8t type; struct tioclselection ts; };

int main() { struct fb_con2fbmap con2fb; struct param param;

int fd = open("/dev/fb1", 0, 0);

con2fb.console = 0x19;
con2fb.framebuffer = 0;
ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);

param.type = 2;
param.ts.xs = 0; param.ts.ys = 0;
param.ts.xe = 0; param.ts.ye = 0;
param.ts.sel_mode = 0;

int fd1 = open("/dev/tty1", O_RDWR, 0);
ioctl(fd1, TIOCLINUX, &param);

con2fb.console = 1;
con2fb.framebuffer = 0;
ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);

return 0;

}

After calling ioctl(fd1, TIOCLINUX, &param), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb) causes the kernel to follow a different execution path:

setcon2fbmap -> con2fbinitdisplay -> fbconsetdisp -> redrawscreen -> hidecursor -> clearselection -> highlight -> invertscreen -> doupdateregion -> fbcon_putcs -> ops->putcs

Since ops->putcs is a NULL pointer, this leads to a kernel panic. To prevent this, we need to call setblittingtype() within setcon2fbmap() to properly initialize ops->putcs.