Linux Framebuffer Layer development
 help / color / mirror / Atom feed
* [PATCH] fbdev: protect mode sysfs reads with lock_fb_info()
@ 2026-07-01 22:17 Melbin K Mathew
  2026-07-01 23:17 ` [PATCH v2 0/2] fbdev: fix mode sysfs lifetime and bounds issues Melbin K Mathew
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Melbin K Mathew @ 2026-07-01 22:17 UTC (permalink / raw)
  To: deller
  Cc: linux-fbdev, dri-devel, linux-kernel, security, Melbin K Mathew,
	stable

show_mode() dereferences fb_info->mode and show_modes() walks
fb_info->modelist without holding lock_fb_info(). store_modes() takes
lock_fb_info() while replacing the modelist and freeing the old one.

A concurrent reader can load a pointer to an old modelist entry before
store_modes() frees it, then dereference freed memory in mode_string().

Take lock_fb_info() in both show_mode() and show_modes() to serialize
with store_modes(). In show_mode(), copy the mode to the stack and
format the stack copy after dropping the lock.

Impact: local kernel UAF read when a privileged writer races with
sysfs readers of /sys/class/graphics/fb*/mode and modes.

Cc: stable@vger.kernel.org
Signed-off-by: Melbin K Mathew <mlbnkm1@gmail.com>
---
A userspace reproducer triggering the race is available to maintainers on request.

 drivers/video/fbdev/core/fbsysfs.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/drivers/video/fbdev/core/fbsysfs.c b/drivers/video/fbdev/core/fbsysfs.c
index ea196603c7..6bdb25f7be 100644
--- a/drivers/video/fbdev/core/fbsysfs.c
+++ b/drivers/video/fbdev/core/fbsysfs.c
@@ -82,11 +82,20 @@ static ssize_t show_mode(struct device *device, struct device_attribute *attr,
 			 char *buf)
 {
 	struct fb_info *fb_info = dev_get_drvdata(device);
+	struct fb_videomode mode;
+	bool have_mode = false;
 
-	if (!fb_info->mode)
+	lock_fb_info(fb_info);
+	if (fb_info->mode) {
+		mode = *fb_info->mode;
+		have_mode = true;
+	}
+	unlock_fb_info(fb_info);
+
+	if (!have_mode)
 		return 0;
 
-	return mode_string(buf, 0, fb_info->mode);
+	return mode_string(buf, 0, &mode);
 }
 
 static ssize_t store_modes(struct device *device,
@@ -134,10 +143,13 @@ static ssize_t show_modes(struct device *device, struct device_attribute *attr,
 	const struct fb_videomode *mode;
 
 	i = 0;
+	lock_fb_info(fb_info);
 	list_for_each_entry(modelist, &fb_info->modelist, list) {
 		mode = &modelist->mode;
 		i += mode_string(buf, i, mode);
 	}
+	unlock_fb_info(fb_info);
+
 	return i;
 }
 
-- 
2.39.5


^ permalink raw reply related	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2026-07-01 23:43 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-01 22:17 [PATCH] fbdev: protect mode sysfs reads with lock_fb_info() Melbin K Mathew
2026-07-01 23:17 ` [PATCH v2 0/2] fbdev: fix mode sysfs lifetime and bounds issues Melbin K Mathew
2026-07-01 23:42   ` [PATCH v3 0/3] " Melbin K Mathew
2026-07-01 23:42   ` [PATCH v3 1/3] fbdev: bound mode sysfs output to the sysfs buffer Melbin K Mathew
2026-07-01 23:42   ` [PATCH v3 2/3] fbdev: clear fb_info->mode before deleting a videomode Melbin K Mathew
2026-07-01 23:42   ` [PATCH v3 3/3] fbdev: serialize mode sysfs access with lock_fb_info() Melbin K Mathew
2026-07-01 23:17 ` [PATCH v2 1/2] fbdev: bound mode sysfs output to the sysfs buffer Melbin K Mathew
2026-07-01 23:17 ` [PATCH v2 2/2] fbdev: serialize mode sysfs access with lock_fb_info() Melbin K Mathew

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox