[PATCH] fbcon: Fix OOB access in font allocation

public inbox for linux-fbdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] fbcon: Fix OOB access in font allocation
@ 2025-09-22 13:45 Thomas Zimmermann
  2025-09-22 18:12 ` Lucas De Marchi
  2025-09-23  1:26 ` Qianqiang Liu
  0 siblings, 2 replies; 3+ messages in thread
From: Thomas Zimmermann @ 2025-09-22 13:45 UTC (permalink / raw)
  To: jani.nikula, samasth.norway.ananda, simona, deller
  Cc: linux-fbdev, dri-devel, Thomas Zimmermann, George Kennedy,
	Greg Kroah-Hartman, Ville Syrjälä, Sam Ravnborg,
	Qianqiang Liu, Shixiong Ou, Kees Cook, stable, Zsolt Kajtar

Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
introduced an out-of-bounds access by storing data and allocation sizes
in the same variable. Restore the old size calculation and use the new
variable 'alloc_size' for the allocation.

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
Reported-by: Jani Nikula <jani.nikula@linux.intel.com>
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020
Cc: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: George Kennedy <george.kennedy@oracle.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: Helge Deller <deller@gmx.de>
Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: Qianqiang Liu <qianqiang.liu@163.com>
Cc: Shixiong Ou <oushixiong@kylinos.cn>
Cc: Kees Cook <kees@kernel.org>
Cc: <stable@vger.kernel.org> # v5.9+
Cc: Zsolt Kajtar <soci@c64.rulez.org>
---
 drivers/video/fbdev/core/fbcon.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 5fade44931b8..c1c0cdd7597c 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2518,7 +2518,7 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
 	unsigned charcount = font->charcount;
 	int w = font->width;
 	int h = font->height;
-	int size;
+	int size, alloc_size;
 	int i, csum;
 	u8 *new_data, *data = font->data;
 	int pitch = PITCH(font->width);
@@ -2551,10 +2551,10 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
 		return -EINVAL;
 
 	/* Check for overflow in allocation size calculation */
-	if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size))
+	if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &alloc_size))
 		return -EINVAL;
 
-	new_data = kmalloc(size, GFP_USER);
+	new_data = kmalloc(alloc_size, GFP_USER);
 
 	if (!new_data)
 		return -ENOMEM;
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] fbcon: Fix OOB access in font allocation
  2025-09-22 13:45 [PATCH] fbcon: Fix OOB access in font allocation Thomas Zimmermann
@ 2025-09-22 18:12 ` Lucas De Marchi
  2025-09-23  1:26 ` Qianqiang Liu
  1 sibling, 0 replies; 3+ messages in thread
From: Lucas De Marchi @ 2025-09-22 18:12 UTC (permalink / raw)
  To: Thomas Zimmermann
  Cc: jani.nikula, samasth.norway.ananda, simona, deller, linux-fbdev,
	dri-devel, George Kennedy, Greg Kroah-Hartman,
	Ville Syrjälä, Sam Ravnborg, Qianqiang Liu, Shixiong Ou,
	Kees Cook, stable, Zsolt Kajtar

On Mon, Sep 22, 2025 at 03:45:54PM +0200, Thomas Zimmermann wrote:
>Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
>introduced an out-of-bounds access by storing data and allocation sizes
>in the same variable. Restore the old size calculation and use the new
>variable 'alloc_size' for the allocation.
>
>Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
>Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
>Reported-by: Jani Nikula <jani.nikula@linux.intel.com>
>Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020

this one too:

Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6201


Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>

thanks
Lucas De Marchi

>Cc: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
>Cc: Thomas Zimmermann <tzimmermann@suse.de>
>Cc: George Kennedy <george.kennedy@oracle.com>
>Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>Cc: Simona Vetter <simona@ffwll.ch>
>Cc: Helge Deller <deller@gmx.de>
>Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
>Cc: Sam Ravnborg <sam@ravnborg.org>
>Cc: Qianqiang Liu <qianqiang.liu@163.com>
>Cc: Shixiong Ou <oushixiong@kylinos.cn>
>Cc: Kees Cook <kees@kernel.org>
>Cc: <stable@vger.kernel.org> # v5.9+
>Cc: Zsolt Kajtar <soci@c64.rulez.org>
>---
> drivers/video/fbdev/core/fbcon.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
>diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
>index 5fade44931b8..c1c0cdd7597c 100644
>--- a/drivers/video/fbdev/core/fbcon.c
>+++ b/drivers/video/fbdev/core/fbcon.c
>@@ -2518,7 +2518,7 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
> 	unsigned charcount = font->charcount;
> 	int w = font->width;
> 	int h = font->height;
>-	int size;
>+	int size, alloc_size;
> 	int i, csum;
> 	u8 *new_data, *data = font->data;
> 	int pitch = PITCH(font->width);
>@@ -2551,10 +2551,10 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
> 		return -EINVAL;
>
> 	/* Check for overflow in allocation size calculation */
>-	if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size))
>+	if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &alloc_size))
> 		return -EINVAL;
>
>-	new_data = kmalloc(size, GFP_USER);
>+	new_data = kmalloc(alloc_size, GFP_USER);
>
> 	if (!new_data)
> 		return -ENOMEM;
>-- 
>2.51.0
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] fbcon: Fix OOB access in font allocation
  2025-09-22 13:45 [PATCH] fbcon: Fix OOB access in font allocation Thomas Zimmermann
  2025-09-22 18:12 ` Lucas De Marchi
@ 2025-09-23  1:26 ` Qianqiang Liu
  1 sibling, 0 replies; 3+ messages in thread
From: Qianqiang Liu @ 2025-09-23  1:26 UTC (permalink / raw)
  To: Thomas Zimmermann
  Cc: jani.nikula, samasth.norway.ananda, simona, deller, linux-fbdev,
	dri-devel, George Kennedy, Greg Kroah-Hartman,
	Ville Syrjälä, Sam Ravnborg, Shixiong Ou, Kees Cook,
	stable, Zsolt Kajtar

On Mon, Sep 22, 2025 at 03:45:54PM +0200, Thomas Zimmermann wrote:
> Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
> introduced an out-of-bounds access by storing data and allocation sizes
> in the same variable. Restore the old size calculation and use the new
> variable 'alloc_size' for the allocation.
> 
> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
> Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
> Reported-by: Jani Nikula <jani.nikula@linux.intel.com>
> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020
> Cc: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
> Cc: Thomas Zimmermann <tzimmermann@suse.de>
> Cc: George Kennedy <george.kennedy@oracle.com>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: Simona Vetter <simona@ffwll.ch>
> Cc: Helge Deller <deller@gmx.de>
> Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
> Cc: Sam Ravnborg <sam@ravnborg.org>
> Cc: Qianqiang Liu <qianqiang.liu@163.com>
> Cc: Shixiong Ou <oushixiong@kylinos.cn>
> Cc: Kees Cook <kees@kernel.org>
> Cc: <stable@vger.kernel.org> # v5.9+
> Cc: Zsolt Kajtar <soci@c64.rulez.org>
> ---
>  drivers/video/fbdev/core/fbcon.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 5fade44931b8..c1c0cdd7597c 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -2518,7 +2518,7 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
>  	unsigned charcount = font->charcount;
>  	int w = font->width;
>  	int h = font->height;
> -	int size;
> +	int size, alloc_size;
>  	int i, csum;
>  	u8 *new_data, *data = font->data;
>  	int pitch = PITCH(font->width);
> @@ -2551,10 +2551,10 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
>  		return -EINVAL;
>  
>  	/* Check for overflow in allocation size calculation */
> -	if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size))
> +	if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &alloc_size))
>  		return -EINVAL;
>  
> -	new_data = kmalloc(size, GFP_USER);
> +	new_data = kmalloc(alloc_size, GFP_USER);
>  
>  	if (!new_data)
>  		return -ENOMEM;
> -- 
> 2.51.0

Reviewed-by: Qianqiang Liu <qianqiang.liu@163.com>

-- 
Best,
Qianqiang Liu


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-09-23  1:28 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-22 13:45 [PATCH] fbcon: Fix OOB access in font allocation Thomas Zimmermann
2025-09-22 18:12 ` Lucas De Marchi
2025-09-23  1:26 ` Qianqiang Liu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox