* stack buffer overflow in fbdev
@ 2019-07-19 14:03 Tavis Ormandy
0 siblings, 0 replies; only message in thread
From: Tavis Ormandy @ 2019-07-19 14:03 UTC (permalink / raw)
To: linux-fbdev
Hello, during a conversation on twitter we noticed a stack buffer
overflow in fbdev with malicious edid data:
https://github.com/torvalds/linux/blob/22051d9c4a57d3b4a8b5a7407efc80c71c7bfb16/drivers/video/fbdev/core/fbmon.c#L1033
There is enough space to have 52 1-byte length values, which makes svd_n
52, then make the final value length 0x1f (the maximum), which makes
svd_n 83 and overflows the 64 byte stack buffer svd[] with controlled
data.
This requires a malicious monitor / projector / etc, so pretty low impact.
I pulled out the code to make a demo (I removed the checksum, but it
doesnt prevent the bug):
https://gist.github.com/taviso/923776e633cb8fb1ab847cce761a0f10
This was discovered by Nico Waisman of Semmle.
Tavis.
--
-------------------------------------
taviso@sdf.lonestar.org | finger me for my pgp key.
-------------------------------------------------------
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-07-19 14:03 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-07-19 14:03 stack buffer overflow in fbdev Tavis Ormandy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).