Bug 1880006 (CVE-2020-28097) - CVE-2020-28097 kernel: out-of-bounds read/write in vgacon_scrolldelta function
Summary: CVE-2020-28097 kernel: out-of-bounds read/write in vgacon_scrolldelta function
Alias: CVE-2020-28097
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: 1976208 (view as bug list)
Depends On: 1979450 1979452 1979453 1883596 1883597 1883598 1883599 1883600 1883877 1979538
Blocks: 1877275 1976210
TreeView+ depends on / blocked
Reported: 2020-09-17 14:20 UTC by msiddiqu
Modified: 2022-04-20 20:08 UTC (History)
49 users (show)

Fixed In Version: kernel 5.8.10
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s implementation of the invert video code on VGA consoles. When a local attacker attempts to scroll the console, calling an ioctl TIOCL_SCROLLCONSOLE, an out-of-bounds memory access issue occurs. This flaw allows a local user with access to the VGA console to crash the system, potentially reading random out-of-bound memory on the system. The highest threat from this vulnerability is to system availability and data confidentiality.
Clone Of:
Last Closed: 2021-05-18 20:36:15 UTC

Attachments (Terms of Use)

Description msiddiqu 2020-09-17 14:20:06 UTC
A flaw was found in the vgacon_scrolldelta of the Linux Kernel which may be utilized to conduct a out-of-bounds reading to leak information. This BUG is caused by "soff" being negative after VT_RESIZE.


Upstream Patch:

Comment 1 Alex 2020-09-29 14:47:58 UTC

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 3 Alex 2020-09-30 12:56:48 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1883877]

Comment 4 Justin M. Forbes 2020-10-01 12:57:24 UTC
This was fixed for Fedora with the 5.8.10 stable updates.

Comment 5 Alex 2021-07-06 17:39:35 UTC
The CVE for this one is CVE-2020-28097

Comment 7 Alex 2021-07-06 17:47:22 UTC
*** Bug 1976208 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.