[PATCH] fbdev: sys_fillrect: Add bounds checking to prevent vmalloc-out-of-bounds

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] fbdev: sys_fillrect: Add bounds checking to prevent vmalloc-out-of-bounds
@ 2026-01-18  0:18 Osama Abdelkader
  2026-01-19  7:38 ` Thomas Zimmermann
  0 siblings, 1 reply; 3+ messages in thread
From: Osama Abdelkader @ 2026-01-18  0:18 UTC (permalink / raw)
  To: Zsolt Kajtar, Simona Vetter, Helge Deller, Osama Abdelkader,
	Thomas Zimmermann, linux-fbdev, dri-devel, linux-kernel
  Cc: syzbot+7a63ce155648954e749b

The sys_fillrect function was missing bounds validation, which could lead
to vmalloc-out-of-bounds writes when the rectangle coordinates extend
beyond the framebuffer's virtual resolution. This was detected by KASAN
and reported by syzkaller.

Add validation to:
1. Check that width and height are non-zero
2. Verify that dx and dy are within virtual resolution bounds
3. Clip the rectangle dimensions to fit within virtual resolution if needed

This follows the same pattern used in other framebuffer drivers like
pm2fb_fillrect.

Reported-by: syzbot+7a63ce155648954e749b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7a63ce155648954e749b
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
---
 drivers/video/fbdev/core/sysfillrect.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/core/sysfillrect.c b/drivers/video/fbdev/core/sysfillrect.c
index 12eea3e424bb..73fc322ff8fd 100644
--- a/drivers/video/fbdev/core/sysfillrect.c
+++ b/drivers/video/fbdev/core/sysfillrect.c
@@ -7,6 +7,7 @@
 #include <linux/module.h>
 #include <linux/fb.h>
 #include <linux/bitrev.h>
+#include <linux/string.h>
 #include <asm/types.h>
 
 #ifdef CONFIG_FB_SYS_REV_PIXELS_IN_BYTE
@@ -18,10 +19,28 @@
 
 void sys_fillrect(struct fb_info *p, const struct fb_fillrect *rect)
 {
+	struct fb_fillrect modded;
+	int vxres, vyres;
+
 	if (!(p->flags & FBINFO_VIRTFB))
 		fb_warn_once(p, "%s: framebuffer is not in virtual address space.\n", __func__);
 
-	fb_fillrect(p, rect);
+	vxres = p->var.xres_virtual;
+	vyres = p->var.yres_virtual;
+
+	/* Validate and clip rectangle to virtual resolution */
+	if (!rect->width || !rect->height ||
+	    rect->dx >= vxres || rect->dy >= vyres)
+		return;
+
+	memcpy(&modded, rect, sizeof(struct fb_fillrect));
+
+	if (modded.dx + modded.width > vxres)
+		modded.width = vxres - modded.dx;
+	if (modded.dy + modded.height > vyres)
+		modded.height = vyres - modded.dy;
+
+	fb_fillrect(p, &modded);
 }
 EXPORT_SYMBOL(sys_fillrect);
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] fbdev: sys_fillrect: Add bounds checking to prevent vmalloc-out-of-bounds
  2026-01-18  0:18 [PATCH] fbdev: sys_fillrect: Add bounds checking to prevent vmalloc-out-of-bounds Osama Abdelkader
@ 2026-01-19  7:38 ` Thomas Zimmermann
  2026-01-24 16:53   ` Osama Abdelkader
  0 siblings, 1 reply; 3+ messages in thread
From: Thomas Zimmermann @ 2026-01-19  7:38 UTC (permalink / raw)
  To: Osama Abdelkader, Zsolt Kajtar, Simona Vetter, Helge Deller,
	linux-fbdev, dri-devel, linux-kernel
  Cc: syzbot+7a63ce155648954e749b

Hi,

thanks for the patch.

Am 18.01.26 um 01:18 schrieb Osama Abdelkader:
> The sys_fillrect function was missing bounds validation, which could lead
> to vmalloc-out-of-bounds writes when the rectangle coordinates extend
> beyond the framebuffer's virtual resolution. This was detected by KASAN
> and reported by syzkaller.
>
> Add validation to:
> 1. Check that width and height are non-zero
> 2. Verify that dx and dy are within virtual resolution bounds
> 3. Clip the rectangle dimensions to fit within virtual resolution if needed

This is rather a problem with the caller of the fillrect helper and 
affects all drivers and all implementations of fb_fillrect. Clipping 
should happen in the fbcon functions before invoking ->fb_con.

Best regards
Thomas

>
> This follows the same pattern used in other framebuffer drivers like
> pm2fb_fillrect.
>
> Reported-by: syzbot+7a63ce155648954e749b@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=7a63ce155648954e749b
> Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
> ---
>   drivers/video/fbdev/core/sysfillrect.c | 21 ++++++++++++++++++++-
>   1 file changed, 20 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/core/sysfillrect.c b/drivers/video/fbdev/core/sysfillrect.c
> index 12eea3e424bb..73fc322ff8fd 100644
> --- a/drivers/video/fbdev/core/sysfillrect.c
> +++ b/drivers/video/fbdev/core/sysfillrect.c
> @@ -7,6 +7,7 @@
>   #include <linux/module.h>
>   #include <linux/fb.h>
>   #include <linux/bitrev.h>
> +#include <linux/string.h>
>   #include <asm/types.h>
>   
>   #ifdef CONFIG_FB_SYS_REV_PIXELS_IN_BYTE
> @@ -18,10 +19,28 @@
>   
>   void sys_fillrect(struct fb_info *p, const struct fb_fillrect *rect)
>   {
> +	struct fb_fillrect modded;
> +	int vxres, vyres;
> +
>   	if (!(p->flags & FBINFO_VIRTFB))
>   		fb_warn_once(p, "%s: framebuffer is not in virtual address space.\n", __func__);
>   
> -	fb_fillrect(p, rect);
> +	vxres = p->var.xres_virtual;
> +	vyres = p->var.yres_virtual;
> +
> +	/* Validate and clip rectangle to virtual resolution */
> +	if (!rect->width || !rect->height ||
> +	    rect->dx >= vxres || rect->dy >= vyres)
> +		return;
> +
> +	memcpy(&modded, rect, sizeof(struct fb_fillrect));
> +
> +	if (modded.dx + modded.width > vxres)
> +		modded.width = vxres - modded.dx;
> +	if (modded.dy + modded.height > vyres)
> +		modded.height = vyres - modded.dy;
> +
> +	fb_fillrect(p, &modded);
>   }
>   EXPORT_SYMBOL(sys_fillrect);
>   

-- 
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com
GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] fbdev: sys_fillrect: Add bounds checking to prevent vmalloc-out-of-bounds
  2026-01-19  7:38 ` Thomas Zimmermann
@ 2026-01-24 16:53   ` Osama Abdelkader
  0 siblings, 0 replies; 3+ messages in thread
From: Osama Abdelkader @ 2026-01-24 16:53 UTC (permalink / raw)
  To: Thomas Zimmermann
  Cc: Zsolt Kajtar, Simona Vetter, Helge Deller, linux-fbdev, dri-devel,
	linux-kernel, syzbot+7a63ce155648954e749b

On Mon, Jan 19, 2026 at 08:38:31AM +0100, Thomas Zimmermann wrote:
> Hi,
> 
> thanks for the patch.
> 
> Am 18.01.26 um 01:18 schrieb Osama Abdelkader:
> > The sys_fillrect function was missing bounds validation, which could lead
> > to vmalloc-out-of-bounds writes when the rectangle coordinates extend
> > beyond the framebuffer's virtual resolution. This was detected by KASAN
> > and reported by syzkaller.
> > 
> > Add validation to:
> > 1. Check that width and height are non-zero
> > 2. Verify that dx and dy are within virtual resolution bounds
> > 3. Clip the rectangle dimensions to fit within virtual resolution if needed
> 
> This is rather a problem with the caller of the fillrect helper and affects
> all drivers and all implementations of fb_fillrect. Clipping should happen
> in the fbcon functions before invoking ->fb_con.
> 
> Best regards
> Thomas
> 
> > 
> > This follows the same pattern used in other framebuffer drivers like
> > pm2fb_fillrect.
> > 
> > Reported-by: syzbot+7a63ce155648954e749b@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=7a63ce155648954e749b
> > Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
> > ---
> >   drivers/video/fbdev/core/sysfillrect.c | 21 ++++++++++++++++++++-
> >   1 file changed, 20 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/video/fbdev/core/sysfillrect.c b/drivers/video/fbdev/core/sysfillrect.c
> > index 12eea3e424bb..73fc322ff8fd 100644
> > --- a/drivers/video/fbdev/core/sysfillrect.c
> > +++ b/drivers/video/fbdev/core/sysfillrect.c
> > @@ -7,6 +7,7 @@
> >   #include <linux/module.h>
> >   #include <linux/fb.h>
> >   #include <linux/bitrev.h>
> > +#include <linux/string.h>
> >   #include <asm/types.h>
> >   #ifdef CONFIG_FB_SYS_REV_PIXELS_IN_BYTE
> > @@ -18,10 +19,28 @@
> >   void sys_fillrect(struct fb_info *p, const struct fb_fillrect *rect)
> >   {
> > +	struct fb_fillrect modded;
> > +	int vxres, vyres;
> > +
> >   	if (!(p->flags & FBINFO_VIRTFB))
> >   		fb_warn_once(p, "%s: framebuffer is not in virtual address space.\n", __func__);
> > -	fb_fillrect(p, rect);
> > +	vxres = p->var.xres_virtual;
> > +	vyres = p->var.yres_virtual;
> > +
> > +	/* Validate and clip rectangle to virtual resolution */
> > +	if (!rect->width || !rect->height ||
> > +	    rect->dx >= vxres || rect->dy >= vyres)
> > +		return;
> > +
> > +	memcpy(&modded, rect, sizeof(struct fb_fillrect));
> > +
> > +	if (modded.dx + modded.width > vxres)
> > +		modded.width = vxres - modded.dx;
> > +	if (modded.dy + modded.height > vyres)
> > +		modded.height = vyres - modded.dy;
> > +
> > +	fb_fillrect(p, &modded);
> >   }
> >   EXPORT_SYMBOL(sys_fillrect);
> 
> -- 
> --
> Thomas Zimmermann
> Graphics Driver Developer
> SUSE Software Solutions Germany GmbH
> Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com
> GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)
> 
> 

Thanks for the info.

Best regards,
Osama


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-01-24 16:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-18  0:18 [PATCH] fbdev: sys_fillrect: Add bounds checking to prevent vmalloc-out-of-bounds Osama Abdelkader
2026-01-19  7:38 ` Thomas Zimmermann
2026-01-24 16:53   ` Osama Abdelkader

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox