From: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
To: Helge Deller <deller@gmx.de>
Cc: Simona Vetter <simona@ffwll.ch>,
syzbot+48b0652a95834717f190@syzkaller.appspotmail.com,
linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds
Date: Thu, 2 Oct 2025 04:52:18 -0400 [thread overview]
Message-ID: <aN49Qt4dezOqAmoo@arch-box> (raw)
In-Reply-To: <5ab00319-e43e-4000-8814-c7d67f384c53@gmx.de>
Hi Helge, I tested your suggestions and they seem to work well.
> Do you know if this affects the selection?
> If so, would modifying (reducing/shortening) the selection maybe fix it?
The syzkaller reproducer uses really weird values where xs > xe and ys > ye
(xs=0xa00, xe=0x101, ys=0xc7e, ye=0x100) and set_selection() already swaps them
if needed and clamps the values.
I added debug prints to check what's happening and the clamping in
set_selection() is working and the values coming through are within bounds. But
the crash still happens when you remap the framebuffer because of a slight
overflow.
I also discovered that when image.width is clipped on the X-axis, the character
count (cnt) must also be updated to match, otherwise bit_putcs_aligned()
receives mismatched buffer size and character count parameters, causing
out-of-bounds writes.
So I changed it to something like this:
+ if (image.dx >= info->var.xres)
+ break;
+ if (image.dx + image.width > info->var.xres) {
+ image.width = info->var.xres - image.dx;
+ cnt = image.width / vc->vc_font.width;
+ if (cnt == 0)
+ break;
+ image.width = cnt * vc->vc_font.width;
+ }
I tested it in syzbot, with the syzkaller reproducer, and also manually in QEMU
and verified that the buffer switches from tty1 to tty2 work correctly.
I couldn’t find a dedicated fbdev/fbcon test suite. Beyond kselftests, do you
recommend anything specific before sending v2?
Thanks,
Albin
next prev parent reply other threads:[~2025-10-02 8:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-27 7:50 [PATCH] fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Albin Babu Varghese
2025-09-30 20:46 ` Helge Deller
2025-10-01 17:19 ` Albin Babu Varghese
2025-10-01 18:36 ` Helge Deller
2025-10-02 8:52 ` Albin Babu Varghese [this message]
2025-10-02 10:11 ` Helge Deller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aN49Qt4dezOqAmoo@arch-box \
--to=albinbabuvarghese20@gmail.com \
--cc=deller@gmx.de \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=simona@ffwll.ch \
--cc=syzbot+48b0652a95834717f190@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.