[PATCH AUTOSEL 6.12 1/6] fbcon: Make sure modelist not set on unregistered console

[Sasha Levin <sashal@kernel.org>]

From: Kees Cook <kees@kernel.org>

[ Upstream commit cedc1b63394a866bf8663a3e40f4546f1d28c8d8 ]

It looks like attempting to write to the "store_modes" sysfs node will
run afoul of unregistered consoles:

UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28
index -1 is out of range for type 'fb_info *[32]'
...
 fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122
 fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048
 fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673
 store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113
 dev_attr_store+0x55/0x80 drivers/base/core.c:2439

static struct fb_info *fbcon_registered_fb[FB_MAX];
...
static signed char con2fb_map[MAX_NR_CONSOLES];
...
static struct fb_info *fbcon_info_from_console(int console)
...
        return fbcon_registered_fb[con2fb_map[console]];

If con2fb_map contains a -1 things go wrong here. Instead, return NULL,
as callers of fbcon_info_from_console() are trying to compare against
existing "info" pointers, so error handling should kick in correctly.

Reported-by: syzbot+a7d4444e7b6e743572f7@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/679d0a8f.050a0220.163cdc.000c.GAE@google.com/
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

**YES** This commit should be backported to stable kernel trees. Here's
my analysis: ## Security and Stability Issue This commit fixes a
critical **array-index-out-of-bounds vulnerability** that can be
triggered via sysfs. The issue occurs when `con2fb_map[console]`
contains `-1`, causing `fbcon_info_from_console()` to access
`fbcon_registered_fb[-1]`, which is an out-of-bounds array access. ##
Bug Analysis The problem is in the `fbcon_info_from_console()` function
at line 122: ```c // Before fix: return
fbcon_registered_fb[con2fb_map[console]]; // After fix: fb =
con2fb_map[console]; if (fb < 0 || fb >=
ARRAY_SIZE(fbcon_registered_fb)) return NULL; return
fbcon_registered_fb[fb]; ``` ## Trigger Path The vulnerability can be
triggered through: 1. **sysfs interface**: Writing to
`/sys/class/graphics/fbX/modes` 2. **Call chain**: `store_modes()` →
`fb_new_modelist()` → `fbcon_new_modelist()` →
`fbcon_info_from_console()` 3. **User-accessible**: This is exploitable
from userspace through the sysfs interface ## Code Context from Analysis
Based on the git blame, the vulnerable code path in
`fbcon_new_modelist()` has existed since: - Original code from **2005**
(Linus Torvalds) - The problematic `fbcon_info_from_console()` call was
added in **2022** by commit `409d6c95f9c6` ("fbcon: Introduce wrapper
for console->fb_info lookup") ## Risk Assessment 1. **High Impact**:
UBSAN array bounds violation, potential for memory corruption 2. **User
Triggerable**: Accessible via standard sysfs interface 3. **Long-
standing**: The vulnerable pattern has existed since 2022 when the
wrapper was introduced 4. **Active Exploitation**: Reported by syzbot,
indicating active fuzzing found this issue ## Backport Suitability 1.
**Small & Contained**: Only 6 lines changed in a single function 2.
**Safe Fix**: Adds bounds checking without changing logic flow 3. **No
Dependencies**: The fix is self-contained and doesn't require other
commits 4. **Clear Bug**: Definitively fixes out-of-bounds access with
proper NULL return 5. **Stable Pattern**: Callers already handle NULL
returns from `fbcon_info_from_console()` ## Comparison to Historical
Precedent Looking at the similar commits provided: - **Similar Commit
#1** (Backport Status: YES): Fixed boundary checks in fbcon parameter
parsing - this follows the same pattern of fixing bounds issues in fbcon
- The other NO commits were architectural changes or refactoring, not
security fixes This commit perfectly fits the stable tree criteria: it's
an important bugfix, has minimal regression risk, is contained to a
single subsystem, and fixes a user-triggerable vulnerability.

 drivers/video/fbdev/core/fbcon.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 07d127110ca4c..c98786996c647 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -117,9 +117,14 @@ static signed char con2fb_map_boot[MAX_NR_CONSOLES];
 
 static struct fb_info *fbcon_info_from_console(int console)
 {
+	signed char fb;
 	WARN_CONSOLE_UNLOCKED();
 
-	return fbcon_registered_fb[con2fb_map[console]];
+	fb = con2fb_map[console];
+	if (fb < 0 || fb >= ARRAY_SIZE(fbcon_registered_fb))
+		return NULL;
+
+	return fbcon_registered_fb[fb];
 }
 
 static int logo_lines;
-- 
2.39.5