From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 92845271A9A; Tue, 5 Aug 2025 13:11:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754399485; cv=none; b=HGse+VYOlrv5NKEDgL130jINWsrQLIsBDuOKF31dvHfbFBRpNifPlC7Y6yNZy9ckNji3yzM4G28PG3SST9G/dQwFc3KGEEx6MffzhpunSWbQpqqMMAeU0GM5ig+fYLKzN/n+saCbGOOyrr7uSt5mcVXnc2MO+QOyA/KUOcbakeM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754399485; c=relaxed/simple; bh=druAkP7ErkwowYteDJD9VVOW9WOr0v88MkQOAoddKV8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=aXutGK3EI6g0Wl2kEfqYJTUErsh1rXLuga9hcb1W/IFxWDBeounp6lmb6jdc/ifJmR1EwL6FqsS2ogKoBuENfGomA+5iyEkQyMomnXIbjHc+jjZa4+waG4AitL69skCOMWnJOfbRFICGnTllCu+WQS+u0/frD5xYOxJhQqNL1wc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=gdRa/AQY; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="gdRa/AQY" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DFE76C4CEF4; Tue, 5 Aug 2025 13:11:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1754399485; bh=druAkP7ErkwowYteDJD9VVOW9WOr0v88MkQOAoddKV8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gdRa/AQYz5n2gH1736g7YxHRwuEBeZafCSQT3m2rJTa/JVn+4e9HQ9bz9rVNqUwGL D+sD3Ci01GrGMQCULM14szALPAaF4T1C7BQRJ5/eLlYlaLPpOke1IDli96Y72PYgsL akrmA7yKxJ+2H2hTdaAHfAb2CaeOpakiILSKfysqpKJmwg1IvfQVFMhJ0x7APOj7df v+F3dYVyVqsjmU9KRzZtgJqFImp8iYZh1YDOHXyMrfN/l4VHOzZCNKkhT4jFdcKuQr WWDq5zAbDSgiALH9zQW2go3FBb5wex7odyBcfEcTJ0tFKeZ9JYYHCCDzYxNvGwDWRL hhj5WtNWZerLQ== From: Sasha Levin To: patches@lists.linux.dev, stable@vger.kernel.org Cc: Yongzhen Zhang , Helge Deller , Sasha Levin , simona@ffwll.ch, tzimmermann@suse.de, lee@kernel.org, m.masimov@mt-integration.ru, linux@weissschuh.net Subject: [PATCH AUTOSEL 6.16-6.1] fbdev: fix potential buffer overflow in do_register_framebuffer() Date: Tue, 5 Aug 2025 09:09:20 -0400 Message-Id: <20250805130945.471732-45-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250805130945.471732-1-sashal@kernel.org> References: <20250805130945.471732-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.16 Content-Transfer-Encoding: 8bit From: Yongzhen Zhang [ Upstream commit 523b84dc7ccea9c4d79126d6ed1cf9033cf83b05 ] The current implementation may lead to buffer overflow when: 1. Unregistration creates NULL gaps in registered_fb[] 2. All array slots become occupied despite num_registered_fb < FB_MAX 3. The registration loop exceeds array bounds Add boundary check to prevent registered_fb[FB_MAX] access. Signed-off-by: Yongzhen Zhang Signed-off-by: Helge Deller Signed-off-by: Sasha Levin --- LLM Generated explanations, may be completely bogus: **Backport Status: YES** This commit should be backported to stable kernel trees for the following reasons: ## Critical Bug Fix The patch fixes a legitimate **buffer overflow vulnerability** in the framebuffer registration code. The vulnerability occurs when: 1. **Array bounds violation**: After the loop at lines 448-450 searches for an empty slot in `registered_fb[]`, the variable `i` could equal `FB_MAX` (32) if no empty slot is found 2. **Out-of-bounds access**: Without the added check, line 460 (`fb_info->node = i`) and line 499 (`registered_fb[i] = fb_info`) would access `registered_fb[FB_MAX]`, which is beyond the array bounds (array indices are 0-31) ## Security Impact This is a **security-relevant fix** that prevents potential kernel memory corruption: - Writing to `registered_fb[FB_MAX]` at line 499 would corrupt memory beyond the array - This could lead to system crashes, unpredictable behavior, or potentially be exploited for privilege escalation ## Meets Stable Criteria The fix perfectly aligns with stable tree requirements: - **Small and contained**: Only 3 lines added (the check and return statement) - **No feature changes**: Pure bug fix with no functional changes - **Minimal regression risk**: The added check is defensive and cannot break existing functionality - **Clear bug fix**: Addresses a specific, well-defined issue ## Code Analysis The vulnerability scenario is real and can occur when: 1. The system has gaps in `registered_fb[]` due to framebuffer unregistration (line 545 in `do_unregister_framebuffer` sets slots to NULL) 2. The condition `num_registered_fb < FB_MAX` passes (line 445) but all 32 slots happen to be occupied with non-contiguous registrations 3. The loop finds no empty slot, leaving `i = FB_MAX` The fix adds a crucial boundary check at the right location, immediately after the search loop, preventing any possibility of out-of-bounds access. This is exactly the type of fix that should be backported to stable kernels - it addresses a real security vulnerability with minimal code change and zero risk of introducing new issues. drivers/video/fbdev/core/fbmem.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index dfcf5e4d1d4c..53f1719b1ae1 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -449,6 +449,9 @@ static int do_register_framebuffer(struct fb_info *fb_info) if (!registered_fb[i]) break; + if (i >= FB_MAX) + return -ENXIO; + if (!fb_info->modelist.prev || !fb_info->modelist.next) INIT_LIST_HEAD(&fb_info->modelist); -- 2.39.5