1880006 – (CVE-2020-28097) CVE-2020-28097 kernel: out-of-bounds read/write in vgacon_scrolldelta function

Bug 1880006 (CVE-2020-28097) - CVE-2020-28097 kernel: out-of-bounds read/write in vgacon_scrolldelta function

Summary: CVE-2020-28097 kernel: out-of-bounds read/write in vgacon_scrolldelta function

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-28097
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1976208 (view as bug list)
Depends On:	1979450 1979452 1979453 1883596 1883597 1883598 1883599 1883600 1883877 1979538
Blocks:	1877275 1976210
TreeView+	depends on / blocked

Reported:	2020-09-17 14:20 UTC by msiddiqu
Modified:	2024-03-25 16:31 UTC (History)
CC List:	49 users (show)
Fixed In Version:	kernel 5.8.10
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Linux kernel’s implementation of the invert video code on VGA consoles. When a local attacker attempts to scroll the console, calling an ioctl TIOCL_SCROLLCONSOLE, an out-of-bounds memory access issue occurs. This flaw allows a local user with access to the VGA console to crash the system, potentially reading random out-of-bound memory on the system. The highest threat from this vulnerability is to system availability and data confidentiality.
Clone Of:
Environment:
Last Closed:	2021-05-18 20:36:15 UTC
Embargoed:

Attachments	(Terms of Use)

Description msiddiqu 2020-09-17 14:20:06 UTC

A flaw was found in the vgacon_scrolldelta of the Linux Kernel which may be utilized to conduct a out-of-bounds reading to leak information. This BUG is caused by "soff" being negative after VT_RESIZE.

References: 
 
https://www.openwall.com/lists/oss-security/2020/09/16/1

Upstream Patch:
 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=973c096f6a85e5b5f2a295126ba6928d9a6afd45

Comment 1 Alex 2020-09-29 14:47:58 UTC

Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 3 Alex 2020-09-30 12:56:48 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1883877]

Comment 4 Justin M. Forbes 2020-10-01 12:57:24 UTC

This was fixed for Fedora with the 5.8.10 stable updates.

Comment 5 Alex 2021-07-06 17:39:35 UTC

The CVE for this one is CVE-2020-28097

Comment 7 Alex 2021-07-06 17:47:22 UTC

*** Bug 1976208 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.

acaringi
airlied
bhu
blc
bmasney
brdeoliv
bskeggs
dhoward
dvlasenk
esammons
fhrbata
gsuckevi
hdegoede
hkrzesin
iboverma
ichavero
itamar
jarod
jarodwilson
jeremy
jforbes
jglisse
jlelli
john.j5live
jonathan
josef
jross
jshortt
jstancek
jwboyer
kcarcia
kernel-maint
kernel-mgr
lgoncalv
linville
masami256
mchehab
mcressma
mjg59
mlangsdo
nmurray
ptalbert
qzhao
rt-maint
rvrbovsk
security-response-team
steved
walters
williams