information leak in vga console scrollback buffer

From: Egmont Koblinger
Date: Sat Jun 12 2004 - 15:03:06 EST

Next message: David Ford: "sound driver (opti) spinlock bug, 2.6.7-rc3"
Previous message: Nico Schottelius: "Re: security patches / lsm"
Next in thread: Chris Wedgwood: "Re: information leak in vga console scrollback buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Using the standard vga console, it is easily possible to read some random
pieces of texts that were scrolled out a long time ago (often you can see
your boot messages or similar stuff even after switcing to another
console or even to X. All you need is a local user access to the console.

2.4 and 2.6 series are both affected, maybe older ones too.

What to do to face the bug in 10 seconds:
- switch to a vga text console
- start "less somebigtextfile" where somebigtextfile means longer than a
screenful. /etc/services might be a good choice.
- press Down arrow one or more times
- switch to another console or X, optionally do whatever you want to do
- switch back to "less"
- (Shift+PageUp now doesn't do anything as it is supposed to)
- press the Up arrow
- press Shift+PageUp. Voila! A long buffer of texts that you forgot a long
time ago... And, interesting, when scrolling backwards the columns are
shifted with a certain amount, but when scrolling back to the bottom of
the page with Shift+PageDown the columns are ok.

It seems to me that the bug is triggered when an application tries to
scroll the content of the terminal downwards (i.e. the unusual direction),
and looking at the source, I guess something is wrong around the handling
of the variable "vga_rolled_over" and its fellows in
drivers/video/console/vgacon.c. But I don't yet fully understand the code,
I only have a rough feeling how it works, so unfortunately I'm far from
creating a fix.

I haven't tested it with framebuffer but I guess that one is unaffected.

I guess this is a serious privacy hole since I've seen dozens of people
hitting Alt+F1 Alt+F2 or something similar before they leave the machine
just to make sure that the scrollback buffers are emptied. But due to this
bug it might be possible for others to read some of their scrolled out
data, mail etc...

bye,

Egmont
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Ford: "sound driver (opti) spinlock bug, 2.6.7-rc3"
Previous message: Nico Schottelius: "Re: security patches / lsm"
Next in thread: Chris Wedgwood: "Re: information leak in vga console scrollback buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]