[PATCH AUTOSEL 6.17-5.4] fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds

[Sasha Levin <sashal@kernel.org>]

From: Albin Babu Varghese <albinbabuvarghese20@gmail.com>

[ Upstream commit 3637d34b35b287ab830e66048841ace404382b67 ]

Add bounds checking to prevent writes past framebuffer boundaries when
rendering text near screen edges. Return early if the Y position is off-screen
and clip image height to screen boundary. Break from the rendering loop if the
X position is off-screen. When clipping image width to fit the screen, update
the character count to match the clipped width to prevent buffer size
mismatches.

Without the character count update, bit_putcs_aligned and bit_putcs_unaligned
receive mismatched parameters where the buffer is allocated for the clipped
width but cnt reflects the original larger count, causing out-of-bounds writes.

Reported-by: syzbot+48b0652a95834717f190@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=48b0652a95834717f190
Suggested-by: Helge Deller <deller@gmx.de>
Tested-by: syzbot+48b0652a95834717f190@syzkaller.appspotmail.com
Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

YES
- The added vertical guard in
  `drivers/video/fbdev/core/bitblit.c:163-166` stops the renderer before
  it touches rows past `info->var.yres`, directly preventing the off-
  screen writes that triggered the syzbot vmalloc-out-of-bounds report
  while leaving the rest of the rendering unchanged.
- The horizontal clipping in
  `drivers/video/fbdev/core/bitblit.c:182-191` is the crucial fix: it
  refuses to draw when the start X is already off-screen, clips
  `image.width` to the visible span, and—most importantly—shrinks `cnt`
  to match the clipped width. Without that `cnt` adjustment, the
  subsequent calls to `bit_putcs_aligned/unaligned`
  (drivers/video/fbdev/core/bitblit.c:200-205) would still iterate over
  the original character count and walk past the pixmap buffer that was
  sized for the smaller width, recreating the exact overflow syzbot
  caught.
- `bit_putcs` is the fbcon `putcs` hook
  (drivers/video/fbdev/core/bitblit.c:408), so this bug can be triggered
  by any console text write near the display edge; the overflow is real
  memory corruption, making this a high-priority stable fix.
- The patch is self-contained to console blitting, introduces no API or
  structural changes, and only adds straightforward bounds checks and
  bookkeeping, so regression risk is low while preventing a serious
  crash/security issue.

Backporting this minimal defensive fix aligns with stable policy: it
closes a user-visible bug (vmalloc OOB) reported by syzbot and does so
with tightly scoped changes. Recommendation: apply to stable.

 drivers/video/fbdev/core/bitblit.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c
index f9475c14f7339..a9ec7f488522c 100644
--- a/drivers/video/fbdev/core/bitblit.c
+++ b/drivers/video/fbdev/core/bitblit.c
@@ -160,6 +160,11 @@ static void bit_putcs(struct vc_data *vc, struct fb_info *info,
 	image.height = vc->vc_font.height;
 	image.depth = 1;
 
+	if (image.dy >= info->var.yres)
+		return;
+
+	image.height = min(image.height, info->var.yres - image.dy);
+
 	if (attribute) {
 		buf = kmalloc(cellsize, GFP_ATOMIC);
 		if (!buf)
@@ -173,6 +178,18 @@ static void bit_putcs(struct vc_data *vc, struct fb_info *info,
 			cnt = count;
 
 		image.width = vc->vc_font.width * cnt;
+
+		if (image.dx >= info->var.xres)
+			break;
+
+		if (image.dx + image.width > info->var.xres) {
+			image.width = info->var.xres - image.dx;
+			cnt = image.width / vc->vc_font.width;
+			if (cnt == 0)
+				break;
+			image.width = cnt * vc->vc_font.width;
+		}
+
 		pitch = DIV_ROUND_UP(image.width, 8) + scan_align;
 		pitch &= ~scan_align;
 		size = pitch * image.height + buf_align;
-- 
2.51.0