In June 2024, a vulnerability labeled CVE-2024-39475 was disclosed and patched in the Linux kernel. This bug concerns the savagefb framebuffer driver, which is used for certain S3 Savage graphics cards. The issue? Poor error handling when initializing graphics settings could crash your system, or worse. Let's break down what happened, why it matters, and how the community fixed the bug.
What Is the Vulnerability?
This issue exists in the Linux kernel’s savagefb driver. Specifically, the savagefb_check_var function checks if the pixel clock (pixclock) is zero, since dividing by zero would cause a kernel error and probably crash your system. However, even after catching the error, the function using it (savagefb_probe) didn’t properly handle the returned error code. That means a division by zero could still happen!
Key Details
- Vulnerable component: drivers/video/fbdev/savagefb.c in the Linux kernel.
Here’s a simplified flow of the vulnerable code
static int savagefb_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
{
...
ret = savagefb_check_var(&info->var, info);
// PROBLEM: ret may be an error, but it is ignored!
// Code continues without checking 'ret'
...
}
The savagefb_check_var() function is supposed to check if a display mode is safe — including making sure pixclock != . When pixclock is zero, it returns an error. But in the code above, that error isn’t checked, so the driver keeps going and eventually may divide by zero:
unsigned int timing = 100000000 / var->pixclock; // CRASHES if pixclock == !
Real-World Impact
- If triggered by a malicious user or bad configuration, the system could crash just by setting a bad video mode.
How Was It Fixed?
The patch simply checks the return value from savagefb_check_var, and exits the setup process if an error occurs:
static int savagefb_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
{
...
ret = savagefb_check_var(&info->var, info);
if (ret) // <--- FIX: handle the error now!
return ret;
...
}
This small but crucial change ensures that no vulnerable code runs if pixclock is zero, keeping the kernel safe from accidental or intentional crashes.
Commit fixing the bug:
- 04e5eac8f3ab - fbdev: savage: Handle err return when savagefb_check_var failed
Demonstration: How Could It Be Exploited?
Suppose you have permission to change the framebuffer mode. You could try setting an invalid mode with pixclock= (the kernel might not let non-root users do this, but some setups allow it):
# Example: Write a custom display mode with pixclock ==
sudo fbset -pixclock
On a vulnerable kernel, this would cause a divide-by-zero in the kernel driver. After the patch, the driver refuses to accept the bad mode, and nothing happens.
June 2024: Bug reported and fixed in the mainline kernel.
- Patch release: commit 04e5eac8f3ab
- Vulnerability database: CVE-2024-39475 at cve.org
- Upstream Bug: fbdev: savage: Handle err return when savagefb_check_var failed
Check your distros! Some Linux distributions may have already backported the fix.
- If you use S3 Savage cards and fbdev: Make sure to use secure display configurations and don’t allow untrusted users to set framebuffer modes.
TL;DR
CVE-2024-39475 was a Linux kernel bug in the savagefb driver, allowing divide-by-zero (and possible DoS) if a bad video mode was set. The fix: check errors! Always handle returns from sanity-check functions. The kernel community patched this fast, so updating your system keeps you safe from this and many similar issues.
Stay secure, keep your systems up to date!
*(If you want to read more, see the patch commit and official CVE page linked above.)*
Timeline
Published on: 07/05/2024 07:15:10 UTC
Last modified on: 07/15/2024 06:50:10 UTC