The syscons CONS_SCRSHOT ioctl(2)
does insufficient validation of its input arguments. In
particular, negative coordinates or large coordinates may
cause unexpected behavior.
It may be possible to cause the CONS_SCRSHOT ioctl to
return portions of kernel memory. Such memory might
contain sensitive information, such as portions of the
file cache or terminal buffers. This information might be
directly useful, or it might be leveraged to obtain elevated
privileges in some way. For example, a terminal buffer
might include a user-entered password.
This bug may be exploitable by users who have access to the
physical console or can otherwise open a /dev/ttyv* device
node.