[PATCH] fbdev: fbcon: Make sure modelist not set on unregistered console

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <kees@kernel.org>
To: Simona Vetter <simona@ffwll.ch>
Cc: Kees Cook <kees@kernel.org>,
	syzbot+a7d4444e7b6e743572f7@syzkaller.appspotmail.com,
	Helge Deller <deller@gmx.de>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	"Jiri Slaby (SUSE)" <jirislaby@kernel.org>,
	Javier Martinez Canillas <javierm@redhat.com>,
	Shixiong Ou <oushixiong@kylinos.cn>,
	linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org,
	Qianqiang Liu <qianqiang.liu@163.com>,
	Jocelyn Falempe <jfalempe@redhat.com>,
	Zsolt Kajtar <soci@c64.rulez.org>,
	linux-kernel@vger.kernel.org,
	syzbot+3d613ae53c031502687a@syzkaller.appspotmail.com,
	linux-hardening@vger.kernel.org
Subject: [PATCH] fbdev: fbcon: Make sure modelist not set on unregistered console
Date: Fri,  9 May 2025 13:06:47 -0700	[thread overview]
Message-ID: <20250509200643.work.355-kees@kernel.org> (raw)

It looks like attempting to write to the "store_modes" sysfs node will
run afoul of unregistered consoles:

UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28
index -1 is out of range for type 'fb_info *[32]'
...
 fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122
 fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048
 fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673
 store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113
 dev_attr_store+0x55/0x80 drivers/base/core.c:2439

static struct fb_info *fbcon_registered_fb[FB_MAX];
...
static signed char con2fb_map[MAX_NR_CONSOLES];
...
static struct fb_info *fbcon_info_from_console(int console)
...
        return fbcon_registered_fb[con2fb_map[console]];

If con2fb_map contains a -1 things go wrong here. Instead, return NULL,
as callers of fbcon_info_from_console() are trying to compare against
existing "info" pointers, so error handling should kick in correctly.

Reported-by: syzbot+a7d4444e7b6e743572f7@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/679d0a8f.050a0220.163cdc.000c.GAE@google.com/
Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Simona Vetter <simona@ffwll.ch>
Cc: Helge Deller <deller@gmx.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
Cc: Javier Martinez Canillas <javierm@redhat.com>
Cc: Shixiong Ou <oushixiong@kylinos.cn>
Cc: <linux-fbdev@vger.kernel.org>
Cc: <dri-devel@lists.freedesktop.org>
---
 drivers/video/fbdev/core/fbcon.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index ac3c99ed92d1..2df48037688d 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -117,9 +117,14 @@ static signed char con2fb_map_boot[MAX_NR_CONSOLES];
 
 static struct fb_info *fbcon_info_from_console(int console)
 {
+	signed char fb;
 	WARN_CONSOLE_UNLOCKED();
 
-	return fbcon_registered_fb[con2fb_map[console]];
+	fb = con2fb_map[console];
+	if (fb < 0 || fb >= ARRAY_SIZE(fbcon_registered_fb))
+		return NULL;
+
+	return fbcon_registered_fb[fb];
 }
 
 static int logo_lines;
-- 
2.34.1

next             reply	other threads:[~2025-05-09 20:06 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-09 20:06 Kees Cook [this message]
2025-05-12  7:53 ` [PATCH] fbdev: fbcon: Make sure modelist not set on unregistered console Helge Deller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ac3c99ed92d dfblob:2df48037688 )
 OR (
bs:"[PATCH] fbdev: fbcon: Make sure modelist not set on unregistered console" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250509200643.work.355-kees@kernel.org \
    --to=kees@kernel.org \
    --cc=deller@gmx.de \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=javierm@redhat.com \
    --cc=jfalempe@redhat.com \
    --cc=jirislaby@kernel.org \
    --cc=linux-fbdev@vger.kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=oushixiong@kylinos.cn \
    --cc=qianqiang.liu@163.com \
    --cc=simona@ffwll.ch \
    --cc=soci@c64.rulez.org \
    --cc=syzbot+3d613ae53c031502687a@syzkaller.appspotmail.com \
    --cc=syzbot+a7d4444e7b6e743572f7@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.