From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
"Samasth Norway Ananda" <samasth.norway.ananda@oracle.com>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"George Kennedy" <george.kennedy@oracle.com>,
syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com,
"Simona Vetter" <simona@ffwll.ch>, "Helge Deller" <deller@gmx.de>,
"Ville Syrjälä" <ville.syrjala@linux.intel.com>,
"Sam Ravnborg" <sam@ravnborg.org>,
"Qianqiang Liu" <qianqiang.liu@163.com>,
"Shixiong Ou" <oushixiong@kylinos.cn>,
"Kees Cook" <kees@kernel.org>
Subject: [PATCH 5.4 73/81] fbcon: fix integer overflow in fbcon_do_set_font
Date: Tue, 30 Sep 2025 16:47:15 +0200 [thread overview]
Message-ID: <20250930143822.759716444@linuxfoundation.org> (raw)
In-Reply-To: <20250930143819.654157320@linuxfoundation.org>
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
commit 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe upstream.
Fix integer overflow vulnerabilities in fbcon_do_set_font() where font
size calculations could overflow when handling user-controlled font
parameters.
The vulnerabilities occur when:
1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount
multiplication with user-controlled values that can overflow.
2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
3. This results in smaller allocations than expected, leading to buffer
overflows during font data copying.
Add explicit overflow checking using check_mul_overflow() and
check_add_overflow() kernel helpers to safety validate all size
calculations before allocation.
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 39b3cffb8cf3 ("fbcon: prevent user font height or width change from causing potential out-of-bounds access")
Cc: George Kennedy <george.kennedy@oracle.com>
Cc: stable <stable@vger.kernel.org>
Cc: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: Helge Deller <deller@gmx.de>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: Qianqiang Liu <qianqiang.liu@163.com>
Cc: Shixiong Ou <oushixiong@kylinos.cn>
Cc: Kees Cook <kees@kernel.org>
Cc: <stable@vger.kernel.org> # v5.9+
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://lore.kernel.org/r/20250912170023.3931881-1-samasth.norway.ananda@oracle.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fbcon.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2509,9 +2509,16 @@ static int fbcon_set_font(struct vc_data
if (fbcon_invalid_charcount(info, charcount))
return -EINVAL;
- size = CALC_FONTSZ(h, pitch, charcount);
+ /* Check for integer overflow in font size calculation */
+ if (check_mul_overflow(h, pitch, &size) ||
+ check_mul_overflow(size, charcount, &size))
+ return -EINVAL;
+
+ /* Check for overflow in allocation size calculation */
+ if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size))
+ return -EINVAL;
- new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
+ new_data = kmalloc(size, GFP_USER);
if (!new_data)
return -ENOMEM;
next prev parent reply other threads:[~2025-09-30 14:52 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-30 14:46 [PATCH 5.4 00/81] 5.4.300-rc1 review Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 01/81] usb: hub: Fix flushing of delayed work used for post resume purposes Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 02/81] net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 03/81] NFSv4: Dont clear capabilities that wont be reset Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 04/81] tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 05/81] EDAC/altera: Delete an inappropriate dma_free_coherent() call Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 06/81] ocfs2: fix recursive semaphore deadlock in fiemap call Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 07/81] mtd: rawnand: stm32_fmc2: fix ECC overwrite Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 08/81] fuse: check if copy_file_range() returns larger than requested size Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 09/81] fuse: prevent overflow in copy_file_range return value Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 10/81] mm/khugepaged: fix the address passed to notifier on testing young Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 11/81] mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 12/81] mtd: nand: raw: atmel: Fix comment in timings preparation Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 13/81] mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 14/81] tty: hvc_console: Call hvc_kick in hvc_write unconditionally Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 15/81] USB: serial: option: add Telit Cinterion FN990A w/audio compositions Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 16/81] USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 17/81] net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 18/81] igb: fix link test skipping when interface is admin down Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 19/81] genirq/affinity: Add irq_update_affinity_desc() Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 20/81] genirq: Export affinity setter for modules Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 21/81] genirq: Provide new interfaces for affinity hints Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 22/81] i40e: Use irq_update_affinity_hint() Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 23/81] i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 24/81] can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 25/81] can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 26/81] dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 27/81] dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 28/81] phy: ti-pipe3: fix device leak at unbind Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 29/81] soc: qcom: mdt_loader: Deal with zero e_shentsize Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 30/81] mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 31/81] ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 32/81] wifi: mac80211: fix incorrect type for ret Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 33/81] pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 34/81] cgroup: split cgroup_destroy_wq into 3 workqueues Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 35/81] net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 36/81] i40e: remove redundant memory barrier when cleaning Tx descs Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 37/81] tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect() Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 38/81] Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 39/81] net: liquidio: fix overflow in octeon_init_instr_queue() Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 40/81] cnic: Fix use-after-free bugs in cnic_delete_task Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 41/81] nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 42/81] power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 43/81] power: supply: bq27xxx: restrict no-battery detection to bq27000 Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 44/81] mmc: mvsdio: Fix dma_unmap_sg() nents value Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 45/81] rds: ib: Increment i_fastreg_wrs before bailing out Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 46/81] ASoC: wm8940: Correct typo in control name Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 47/81] ASoC: wm8974: Correct PLL rate rounding Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 48/81] ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 49/81] usb: gadget: dummy_hcd: remove usage of list iterator past the loop body Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 50/81] USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 51/81] serial: sc16is7xx: fix bug in flow control levels init Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 52/81] net: rfkill: gpio: add DT support Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 53/81] net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 54/81] KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 55/81] ALSA: usb-audio: Fix block comments in mixer_quirks Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 56/81] ALSA: usb-audio: Avoid multiple assignments " Greg Kroah-Hartman
2025-09-30 14:46 ` [PATCH 5.4 57/81] ALSA: usb-audio: Simplify NULL comparison " Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 58/81] ALSA: usb-audio: Remove unneeded wmb() " Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 59/81] ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5 Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 60/81] ALSA: usb-audio: Convert comma to semicolon Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 61/81] ALSA: usb-audio: Fix build with CONFIG_INPUT=n Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 62/81] usb: core: Add 0x prefix to quirks debug output Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 63/81] IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 64/81] can: rcar_can: rcar_can_resume(): fix s2ram with PSCI Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 65/81] can: hi311x: populate ndo_change_mtu() to prevent buffer overflow Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 66/81] can: sun4i_can: " Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 67/81] can: mcba_usb: " Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 68/81] can: peak_usb: fix shift-out-of-bounds issue Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 69/81] drm/gma500: Fix null dereference in hdmi teardown Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 70/81] i40e: fix idx validation in i40e_validate_queue_map Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 71/81] i40e: fix input validation logic for action_meta Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 72/81] i40e: add max boundary check for VF filters Greg Kroah-Hartman
2025-09-30 14:47 ` Greg Kroah-Hartman [this message]
2025-09-30 14:47 ` [PATCH 5.4 74/81] fbcon: Fix OOB access in font allocation Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 75/81] mm/migrate_device: dont add folio to be freed to LRU in migrate_device_finalize() Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 76/81] i40e: increase max descriptors for XL710 Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 77/81] i40e: add validation for ring_len param Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 78/81] i40e: fix idx validation in config queues msg Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 79/81] i40e: fix validation of VF state in get resources Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 80/81] i40e: add mask to apply valid bits for itr_idx Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 5.4 81/81] mm/hugetlb: fix folio is still mapped when deleted Greg Kroah-Hartman
2025-09-30 17:06 ` [PATCH 5.4 00/81] 5.4.300-rc1 review Florian Fainelli
2025-09-30 18:52 ` Brett A C Sheffield
2025-10-01 9:11 ` [PATCH 5.4 00/81] " Jon Hunter
2025-10-01 12:07 ` Naresh Kamboju
2025-10-01 13:37 ` [External] : " ALOK TIWARI
2025-10-01 16:21 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250930143822.759716444@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=deller@gmx.de \
--cc=george.kennedy@oracle.com \
--cc=kees@kernel.org \
--cc=oushixiong@kylinos.cn \
--cc=patches@lists.linux.dev \
--cc=qianqiang.liu@163.com \
--cc=sam@ravnborg.org \
--cc=samasth.norway.ananda@oracle.com \
--cc=simona@ffwll.ch \
--cc=stable@vger.kernel.org \
--cc=syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com \
--cc=tzimmermann@suse.de \
--cc=ville.syrjala@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).