Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vitaly Chikunov <vt@altlinux.org>
To: Junjie Cao <junjie.cao@intel.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>,
	 Simona Vetter <simona@ffwll.ch>, Helge Deller <deller@gmx.de>,
	Zsolt Kajtar <soci@c64.rulez.org>,
	 Albin Babu Varghese <albinbabuvarghese20@gmail.com>,
	linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org,
	 linux-kernel@vger.kernel.org, stable@vger.kernel.org,
	regressions@lists.linux.dev
Subject: Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*
Date: Fri, 26 Dec 2025 01:29:13 +0300	[thread overview]
Message-ID: <aU23brU4lZqIkw4Z@altlinux.org> (raw)
In-Reply-To: <20251020134701.84082-1-junjie.cao@intel.com>

Dear linux-fbdev, stable,

On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote:
> bit_putcs_aligned()/unaligned() derived the glyph pointer from the
> character value masked by 0xff/0x1ff, which may exceed the actual font's
> glyph count and read past the end of the built-in font array.
> Clamp the index to the actual glyph count before computing the address.
> 
> This fixes a global out-of-bounds read reported by syzbot.
> 
> Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
> Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
> Signed-off-by: Junjie Cao <junjie.cao@intel.com>

This commit is applied to v5.10.247 and causes a regression: when
switching VT with ctrl-alt-f2 the screen is blank or completely filled
with angle characters, then new text is not appearing (or not visible).

This commit is found with git bisect from v5.10.246 to v5.10.247:

  0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit
  commit 0998a6cb232674408a03e8561dc15aa266b2f53b
  Author:     Junjie Cao <junjie.cao@intel.com>
  AuthorDate: 2025-10-20 21:47:01 +0800
  Commit:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  CommitDate: 2025-12-07 06:08:07 +0900

      fbdev: bitblit: bound-check glyph index in bit_putcs*

      commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream.

      bit_putcs_aligned()/unaligned() derived the glyph pointer from the
      character value masked by 0xff/0x1ff, which may exceed the actual font's
      glyph count and read past the end of the built-in font array.
      Clamp the index to the actual glyph count before computing the address.

      This fixes a global out-of-bounds read reported by syzbot.

      Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
      Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
      Signed-off-by: Junjie Cao <junjie.cao@intel.com>
      Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
      Signed-off-by: Helge Deller <deller@gmx.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

   drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
   1 file changed, 12 insertions(+), 4 deletions(-)

The minimal reproducer in cli, after kernel is booted:

  date >/dev/tty2; chvt 2

and the date does not appear.

Thanks,

#regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b

> ---
> v1: https://lore.kernel.org/linux-fbdev/5d237d1a-a528-4205-a4d8-71709134f1e1@suse.de/
> v1 -> v2:
>  - Fix indentation and add blank line after declarations with the .pl helper
>  - No functional changes
> 
>  drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
>  1 file changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c
> index 9d2e59796c3e..085ffb44c51a 100644
> --- a/drivers/video/fbdev/core/bitblit.c
> +++ b/drivers/video/fbdev/core/bitblit.c
> @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info,
>  				     struct fb_image *image, u8 *buf, u8 *dst)
>  {
>  	u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
> +	unsigned int charcnt = vc->vc_font.charcount;
>  	u32 idx = vc->vc_font.width >> 3;
>  	u8 *src;
>  
>  	while (cnt--) {
> -		src = vc->vc_font.data + (scr_readw(s++)&
> -					  charmask)*cellsize;
> +		u16 ch = scr_readw(s++) & charmask;
> +
> +		if (ch >= charcnt)
> +			ch = 0;
> +		src = vc->vc_font.data + (unsigned int)ch * cellsize;
>  
>  		if (attr) {
>  			update_attr(buf, src, attr, vc);
> @@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(struct vc_data *vc,
>  				       u8 *dst)
>  {
>  	u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
> +	unsigned int charcnt = vc->vc_font.charcount;
>  	u32 shift_low = 0, mod = vc->vc_font.width % 8;
>  	u32 shift_high = 8;
>  	u32 idx = vc->vc_font.width >> 3;
>  	u8 *src;
>  
>  	while (cnt--) {
> -		src = vc->vc_font.data + (scr_readw(s++)&
> -					  charmask)*cellsize;
> +		u16 ch = scr_readw(s++) & charmask;
> +
> +		if (ch >= charcnt)
> +			ch = 0;
> +		src = vc->vc_font.data + (unsigned int)ch * cellsize;
>  
>  		if (attr) {
>  			update_attr(buf, src, attr, vc);
> -- 
> 2.48.1
>

next prev parent reply	other threads:[~2025-12-25 22:38 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-20 13:47 [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs* Junjie Cao
2025-10-20 14:29 ` Thomas Zimmermann
2025-10-28 21:23   ` Helge Deller
2025-12-25 22:29 ` Vitaly Chikunov [this message]
2025-12-26 12:21   ` Vitaly Chikunov
2025-12-27  2:04     ` Barry K. Nathan
2026-01-06  9:04       ` Thorsten Leemhuis
2026-01-10 13:20   ` Woody Suwalski
2026-01-11  5:26     ` Woody Suwalski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aU23brU4lZqIkw4Z@altlinux.org \
    --to=vt@altlinux.org \
    --cc=albinbabuvarghese20@gmail.com \
    --cc=deller@gmx.de \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=junjie.cao@intel.com \
    --cc=linux-fbdev@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=regressions@lists.linux.dev \
    --cc=simona@ffwll.ch \
    --cc=soci@c64.rulez.org \
    --cc=stable@vger.kernel.org \
    --cc=tzimmermann@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.