Re: [PATCH] fbdev: sys_fillrect: Add bounds checking to prevent vmalloc-out-of-bounds

[Osama Abdelkader <osama.abdelkader@gmail.com>]

On Mon, Jan 19, 2026 at 08:38:31AM +0100, Thomas Zimmermann wrote:
> Hi,
> 
> thanks for the patch.
> 
> Am 18.01.26 um 01:18 schrieb Osama Abdelkader:
> > The sys_fillrect function was missing bounds validation, which could lead
> > to vmalloc-out-of-bounds writes when the rectangle coordinates extend
> > beyond the framebuffer's virtual resolution. This was detected by KASAN
> > and reported by syzkaller.
> > 
> > Add validation to:
> > 1. Check that width and height are non-zero
> > 2. Verify that dx and dy are within virtual resolution bounds
> > 3. Clip the rectangle dimensions to fit within virtual resolution if needed
> 
> This is rather a problem with the caller of the fillrect helper and affects
> all drivers and all implementations of fb_fillrect. Clipping should happen
> in the fbcon functions before invoking ->fb_con.
> 
> Best regards
> Thomas
> 
> > 
> > This follows the same pattern used in other framebuffer drivers like
> > pm2fb_fillrect.
> > 
> > Reported-by: syzbot+7a63ce155648954e749b@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=7a63ce155648954e749b
> > Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
> > ---
> >   drivers/video/fbdev/core/sysfillrect.c | 21 ++++++++++++++++++++-
> >   1 file changed, 20 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/video/fbdev/core/sysfillrect.c b/drivers/video/fbdev/core/sysfillrect.c
> > index 12eea3e424bb..73fc322ff8fd 100644
> > --- a/drivers/video/fbdev/core/sysfillrect.c
> > +++ b/drivers/video/fbdev/core/sysfillrect.c
> > @@ -7,6 +7,7 @@
> >   #include <linux/module.h>
> >   #include <linux/fb.h>
> >   #include <linux/bitrev.h>
> > +#include <linux/string.h>
> >   #include <asm/types.h>
> >   #ifdef CONFIG_FB_SYS_REV_PIXELS_IN_BYTE
> > @@ -18,10 +19,28 @@
> >   void sys_fillrect(struct fb_info *p, const struct fb_fillrect *rect)
> >   {
> > +	struct fb_fillrect modded;
> > +	int vxres, vyres;
> > +
> >   	if (!(p->flags & FBINFO_VIRTFB))
> >   		fb_warn_once(p, "%s: framebuffer is not in virtual address space.\n", __func__);
> > -	fb_fillrect(p, rect);
> > +	vxres = p->var.xres_virtual;
> > +	vyres = p->var.yres_virtual;
> > +
> > +	/* Validate and clip rectangle to virtual resolution */
> > +	if (!rect->width || !rect->height ||
> > +	    rect->dx >= vxres || rect->dy >= vyres)
> > +		return;
> > +
> > +	memcpy(&modded, rect, sizeof(struct fb_fillrect));
> > +
> > +	if (modded.dx + modded.width > vxres)
> > +		modded.width = vxres - modded.dx;
> > +	if (modded.dy + modded.height > vyres)
> > +		modded.height = vyres - modded.dy;
> > +
> > +	fb_fillrect(p, &modded);
> >   }
> >   EXPORT_SYMBOL(sys_fillrect);
> 
> -- 
> --
> Thomas Zimmermann
> Graphics Driver Developer
> SUSE Software Solutions Germany GmbH
> Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com
> GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)
> 
> 

Thanks for the info.

Best regards,
Osama