Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*

Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*

[Vitaly Chikunov]

Dear linux-fbdev, stable,

On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote:
> bit_putcs_aligned()/unaligned() derived the glyph pointer from the
> character value masked by 0xff/0x1ff, which may exceed the actual font's
> glyph count and read past the end of the built-in font array.
> Clamp the index to the actual glyph count before computing the address.
> 
> This fixes a global out-of-bounds read reported by syzbot.
> 
> Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
> Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
> Signed-off-by: Junjie Cao <junjie.cao@intel.com>

This commit is applied to v5.10.247 and causes a regression: when
switching VT with ctrl-alt-f2 the screen is blank or completely filled
with angle characters, then new text is not appearing (or not visible).

This commit is found with git bisect from v5.10.246 to v5.10.247:

  0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit
  commit 0998a6cb232674408a03e8561dc15aa266b2f53b
  Author:     Junjie Cao <junjie.cao@intel.com>
  AuthorDate: 2025-10-20 21:47:01 +0800
  Commit:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  CommitDate: 2025-12-07 06:08:07 +0900

      fbdev: bitblit: bound-check glyph index in bit_putcs*

      commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream.

      bit_putcs_aligned()/unaligned() derived the glyph pointer from the
      character value masked by 0xff/0x1ff, which may exceed the actual font's
      glyph count and read past the end of the built-in font array.
      Clamp the index to the actual glyph count before computing the address.

      This fixes a global out-of-bounds read reported by syzbot.

      Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
      Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
      Signed-off-by: Junjie Cao <junjie.cao@intel.com>
      Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
      Signed-off-by: Helge Deller <deller@gmx.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

   drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
   1 file changed, 12 insertions(+), 4 deletions(-)

The minimal reproducer in cli, after kernel is booted:

  date >/dev/tty2; chvt 2

and the date does not appear.

Thanks,

#regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b

> ---
> v1: https://lore.kernel.org/linux-fbdev/5d237d1a-a528-4205-a4d8-71709134f1e1@suse.de/
> v1 -> v2:
>  - Fix indentation and add blank line after declarations with the .pl helper
>  - No functional changes
> 
>  drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
>  1 file changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c
> index 9d2e59796c3e..085ffb44c51a 100644
> --- a/drivers/video/fbdev/core/bitblit.c
> +++ b/drivers/video/fbdev/core/bitblit.c
> @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info,
>  				     struct fb_image *image, u8 *buf, u8 *dst)
>  {
>  	u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
> +	unsigned int charcnt = vc->vc_font.charcount;
>  	u32 idx = vc->vc_font.width >> 3;
>  	u8 *src;
>  
>  	while (cnt--) {
> -		src = vc->vc_font.data + (scr_readw(s++)&
> -					  charmask)*cellsize;
> +		u16 ch = scr_readw(s++) & charmask;
> +
> +		if (ch >= charcnt)
> +			ch = 0;
> +		src = vc->vc_font.data + (unsigned int)ch * cellsize;
>  
>  		if (attr) {
>  			update_attr(buf, src, attr, vc);
> @@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(struct vc_data *vc,
>  				       u8 *dst)
>  {
>  	u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
> +	unsigned int charcnt = vc->vc_font.charcount;
>  	u32 shift_low = 0, mod = vc->vc_font.width % 8;
>  	u32 shift_high = 8;
>  	u32 idx = vc->vc_font.width >> 3;
>  	u8 *src;
>  
>  	while (cnt--) {
> -		src = vc->vc_font.data + (scr_readw(s++)&
> -					  charmask)*cellsize;
> +		u16 ch = scr_readw(s++) & charmask;
> +
> +		if (ch >= charcnt)
> +			ch = 0;
> +		src = vc->vc_font.data + (unsigned int)ch * cellsize;
>  
>  		if (attr) {
>  			update_attr(buf, src, attr, vc);
> -- 
> 2.48.1
> 

Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*

[Vitaly Chikunov]

Dear linux-fbdev, stable,

On Fri, Dec 26, 2025 at 01:29:13AM +0300, Vitaly Chikunov wrote:
> 
> On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote:
> > bit_putcs_aligned()/unaligned() derived the glyph pointer from the
> > character value masked by 0xff/0x1ff, which may exceed the actual font's
> > glyph count and read past the end of the built-in font array.
> > Clamp the index to the actual glyph count before computing the address.
> > 
> > This fixes a global out-of-bounds read reported by syzbot.
> > 
> > Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
> > Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
> > Signed-off-by: Junjie Cao <junjie.cao@intel.com>
> 
> This commit is applied to v5.10.247 and causes a regression: when
> switching VT with ctrl-alt-f2 the screen is blank or completely filled
> with angle characters, then new text is not appearing (or not visible).
> 
> This commit is found with git bisect from v5.10.246 to v5.10.247:
> 
>   0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit
>   commit 0998a6cb232674408a03e8561dc15aa266b2f53b
>   Author:     Junjie Cao <junjie.cao@intel.com>
>   AuthorDate: 2025-10-20 21:47:01 +0800
>   Commit:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>   CommitDate: 2025-12-07 06:08:07 +0900
> 
>       fbdev: bitblit: bound-check glyph index in bit_putcs*
> 
>       commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream.
> 
>       bit_putcs_aligned()/unaligned() derived the glyph pointer from the
>       character value masked by 0xff/0x1ff, which may exceed the actual font's
>       glyph count and read past the end of the built-in font array.
>       Clamp the index to the actual glyph count before computing the address.
> 
>       This fixes a global out-of-bounds read reported by syzbot.
> 
>       Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>       Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
>       Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>       Signed-off-by: Junjie Cao <junjie.cao@intel.com>
>       Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
>       Signed-off-by: Helge Deller <deller@gmx.de>
>       Cc: stable@vger.kernel.org
>       Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
>    drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
>    1 file changed, 12 insertions(+), 4 deletions(-)
> 
> The minimal reproducer in cli, after kernel is booted:
> 
>   date >/dev/tty2; chvt 2
> 
> and the date does not appear.
> 
> Thanks,
> 
> #regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b
> 
> > ---
> > v1: https://lore.kernel.org/linux-fbdev/5d237d1a-a528-4205-a4d8-71709134f1e1@suse.de/
> > v1 -> v2:
> >  - Fix indentation and add blank line after declarations with the .pl helper
> >  - No functional changes
> > 
> >  drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
> >  1 file changed, 12 insertions(+), 4 deletions(-)
> > 
> > diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c
> > index 9d2e59796c3e..085ffb44c51a 100644
> > --- a/drivers/video/fbdev/core/bitblit.c
> > +++ b/drivers/video/fbdev/core/bitblit.c
> > @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info,
> >  				     struct fb_image *image, u8 *buf, u8 *dst)
> >  {
> >  	u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
> > +	unsigned int charcnt = vc->vc_font.charcount;

Perhaps, vc->vc_font.charcount (which is relied upon in the following
comparison) is not always set correctly in v5.10.247. At least two
commits that set vc_font.charcount are missing from v5.10.247:

  a1ac250a82a5 ("fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font charcount")
  a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed")

Thanks,


> >  	u32 idx = vc->vc_font.width >> 3;
> >  	u8 *src;
> >  
> >  	while (cnt--) {
> > -		src = vc->vc_font.data + (scr_readw(s++)&
> > -					  charmask)*cellsize;
> > +		u16 ch = scr_readw(s++) & charmask;
> > +
> > +		if (ch >= charcnt)
> > +			ch = 0;
> > +		src = vc->vc_font.data + (unsigned int)ch * cellsize;
> >  
> >  		if (attr) {
> >  			update_attr(buf, src, attr, vc);
> > @@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(struct vc_data *vc,
> >  				       u8 *dst)
> >  {
> >  	u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
> > +	unsigned int charcnt = vc->vc_font.charcount;
> >  	u32 shift_low = 0, mod = vc->vc_font.width % 8;
> >  	u32 shift_high = 8;
> >  	u32 idx = vc->vc_font.width >> 3;
> >  	u8 *src;
> >  
> >  	while (cnt--) {
> > -		src = vc->vc_font.data + (scr_readw(s++)&
> > -					  charmask)*cellsize;
> > +		u16 ch = scr_readw(s++) & charmask;
> > +
> > +		if (ch >= charcnt)
> > +			ch = 0;
> > +		src = vc->vc_font.data + (unsigned int)ch * cellsize;
> >  
> >  		if (attr) {
> >  			update_attr(buf, src, attr, vc);
> > -- 
> > 2.48.1
> > 

Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*

[Barry K. Nathan]

On 12/26/25 4:21 AM, Vitaly Chikunov wrote:
> Dear linux-fbdev, stable,
> 
> On Fri, Dec 26, 2025 at 01:29:13AM +0300, Vitaly Chikunov wrote:
>>
>> On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote:
>>> bit_putcs_aligned()/unaligned() derived the glyph pointer from the
>>> character value masked by 0xff/0x1ff, which may exceed the actual font's
>>> glyph count and read past the end of the built-in font array.
>>> Clamp the index to the actual glyph count before computing the address.
>>>
>>> This fixes a global out-of-bounds read reported by syzbot.
>>>
>>> Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>>> Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
>>> Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>>> Signed-off-by: Junjie Cao <junjie.cao@intel.com>
>>
>> This commit is applied to v5.10.247 and causes a regression: when
>> switching VT with ctrl-alt-f2 the screen is blank or completely filled
>> with angle characters, then new text is not appearing (or not visible).
>>
>> This commit is found with git bisect from v5.10.246 to v5.10.247:
>>
>>    0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit
>>    commit 0998a6cb232674408a03e8561dc15aa266b2f53b
>>    Author:     Junjie Cao <junjie.cao@intel.com>
>>    AuthorDate: 2025-10-20 21:47:01 +0800
>>    Commit:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>    CommitDate: 2025-12-07 06:08:07 +0900
>>
>>        fbdev: bitblit: bound-check glyph index in bit_putcs*
>>
>>        commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream.
>>
>>        bit_putcs_aligned()/unaligned() derived the glyph pointer from the
>>        character value masked by 0xff/0x1ff, which may exceed the actual font's
>>        glyph count and read past the end of the built-in font array.
>>        Clamp the index to the actual glyph count before computing the address.
>>
>>        This fixes a global out-of-bounds read reported by syzbot.
>>
>>        Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>>        Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
>>        Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>>        Signed-off-by: Junjie Cao <junjie.cao@intel.com>
>>        Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
>>        Signed-off-by: Helge Deller <deller@gmx.de>
>>        Cc: stable@vger.kernel.org
>>        Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>
>>     drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
>>     1 file changed, 12 insertions(+), 4 deletions(-)
>>
>> The minimal reproducer in cli, after kernel is booted:
>>
>>    date >/dev/tty2; chvt 2
>>
>> and the date does not appear.
>>
>> Thanks,
>>
>> #regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b
>>
>>> ---
>>> v1: https://lore.kernel.org/linux-fbdev/5d237d1a-a528-4205-a4d8-71709134f1e1@suse.de/
>>> v1 -> v2:
>>>   - Fix indentation and add blank line after declarations with the .pl helper
>>>   - No functional changes
>>>
>>>   drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
>>>   1 file changed, 12 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c
>>> index 9d2e59796c3e..085ffb44c51a 100644
>>> --- a/drivers/video/fbdev/core/bitblit.c
>>> +++ b/drivers/video/fbdev/core/bitblit.c
>>> @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info,
>>>   				     struct fb_image *image, u8 *buf, u8 *dst)
>>>   {
>>>   	u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
>>> +	unsigned int charcnt = vc->vc_font.charcount;
> 
> Perhaps, vc->vc_font.charcount (which is relied upon in the following
> comparison) is not always set correctly in v5.10.247. At least two
> commits that set vc_font.charcount are missing from v5.10.247:
> 
>    a1ac250a82a5 ("fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font charcount")
>    a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed")
> 
> Thanks,

I was just about to report this.

I found two ways to fix this bug. One is to revert this patch; the other 
is to apply the following 3 patches, which are already present in 5.11 
and later:

7a089ec7d77fe7d50f6bb7b178fa25eec9fd822b
     console: Delete unused con_font_copy() callback implementations

4ee573086bd88ff3060dda07873bf755d332e9ba
     Fonts: Add charcount field to font_desc

a1ac250a82a5e97db71f14101ff7468291a6aaef
     fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font
     charcount

(Oh, by the way, this same regression also affects 5.4.302, and the same 
3 patches fix the regression on 5.4 as well, once you manually fix merge 
conflicts. Maybe it would be better to backport other additional commits 
instead of fixing the merge conflicts manually, but since 5.4 is now EOL 
I didn't dig that deep.)

Once these 3 patches are applied, I wonder if a5a923038d70 now becomes 
necessary for 5.10.y. For what it's worth, it applies fine and the 
resulting kernel seems to run OK in brief testing.

-- 
-Barry K. Nathan  <barryn@pobox.com>

Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*

[Thorsten Leemhuis]

[Top posting to make this easy processable]

TWIMC, Ben (now CCed) meanwhile reported the problem as well:

https://lore.kernel.org/all/c5a27a57597c78553bf121d09a1b45ed86dc02a8.camel@decadent.org.uk/

There he wrote
"""
This can be fixed by backporting the following commits from 5.11:

7a089ec7d77f console: Delete unused con_font_copy() callback implementations
259a252c1f4e console: Delete dummy con_font_set() and con_font_default()
callback implementations
4ee573086bd8 Fonts: Add charcount field to font_desc
4497364e5f61 parisc/sticore: Avoid hard-coding built-in font charcount
a1ac250a82a5 fbcon: Avoid using FNTCHARCNT() and hard-coded built-in
font charcount

These all apply without fuzz and builds cleanly for x86_64 and parisc64.
"""

Ciao, Thorsten

On 12/27/25 03:04, Barry K. Nathan wrote:
> On 12/26/25 4:21 AM, Vitaly Chikunov wrote:
>> Dear linux-fbdev, stable,
>>
>> On Fri, Dec 26, 2025 at 01:29:13AM +0300, Vitaly Chikunov wrote:
>>>
>>> On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote:
>>>> bit_putcs_aligned()/unaligned() derived the glyph pointer from the
>>>> character value masked by 0xff/0x1ff, which may exceed the actual
>>>> font's
>>>> glyph count and read past the end of the built-in font array.
>>>> Clamp the index to the actual glyph count before computing the address.
>>>>
>>>> This fixes a global out-of-bounds read reported by syzbot.
>>>>
>>>> Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>>>> Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
>>>> Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>>>> Signed-off-by: Junjie Cao <junjie.cao@intel.com>
>>>
>>> This commit is applied to v5.10.247 and causes a regression: when
>>> switching VT with ctrl-alt-f2 the screen is blank or completely filled
>>> with angle characters, then new text is not appearing (or not visible).
>>>
>>> This commit is found with git bisect from v5.10.246 to v5.10.247:
>>>
>>>    0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit
>>>    commit 0998a6cb232674408a03e8561dc15aa266b2f53b
>>>    Author:     Junjie Cao <junjie.cao@intel.com>
>>>    AuthorDate: 2025-10-20 21:47:01 +0800
>>>    Commit:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>    CommitDate: 2025-12-07 06:08:07 +0900
>>>
>>>        fbdev: bitblit: bound-check glyph index in bit_putcs*
>>>
>>>        commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream.
>>>
>>>        bit_putcs_aligned()/unaligned() derived the glyph pointer from
>>> the
>>>        character value masked by 0xff/0x1ff, which may exceed the
>>> actual font's
>>>        glyph count and read past the end of the built-in font array.
>>>        Clamp the index to the actual glyph count before computing the
>>> address.
>>>
>>>        This fixes a global out-of-bounds read reported by syzbot.
>>>
>>>        Reported-by:
>>> syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>>>        Closes: https://syzkaller.appspot.com/bug?
>>> extid=793cf822d213be1a74f2
>>>        Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>>>        Signed-off-by: Junjie Cao <junjie.cao@intel.com>
>>>        Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
>>>        Signed-off-by: Helge Deller <deller@gmx.de>
>>>        Cc: stable@vger.kernel.org
>>>        Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>
>>>     drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
>>>     1 file changed, 12 insertions(+), 4 deletions(-)
>>>
>>> The minimal reproducer in cli, after kernel is booted:
>>>
>>>    date >/dev/tty2; chvt 2
>>>
>>> and the date does not appear.
>>>
>>> Thanks,
>>>
>>> #regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b
>>>
>>>> ---
>>>> v1: https://lore.kernel.org/linux-fbdev/5d237d1a-a528-4205-
>>>> a4d8-71709134f1e1@suse.de/
>>>> v1 -> v2:
>>>>   - Fix indentation and add blank line after declarations with
>>>> the .pl helper
>>>>   - No functional changes
>>>>
>>>>   drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
>>>>   1 file changed, 12 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/
>>>> fbdev/core/bitblit.c
>>>> index 9d2e59796c3e..085ffb44c51a 100644
>>>> --- a/drivers/video/fbdev/core/bitblit.c
>>>> +++ b/drivers/video/fbdev/core/bitblit.c
>>>> @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct
>>>> vc_data *vc, struct fb_info *info,
>>>>                        struct fb_image *image, u8 *buf, u8 *dst)
>>>>   {
>>>>       u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
>>>> +    unsigned int charcnt = vc->vc_font.charcount;
>>
>> Perhaps, vc->vc_font.charcount (which is relied upon in the following
>> comparison) is not always set correctly in v5.10.247. At least two
>> commits that set vc_font.charcount are missing from v5.10.247:
>>
>>    a1ac250a82a5 ("fbcon: Avoid using FNTCHARCNT() and hard-coded
>> built-in font charcount")
>>    a5a923038d70 ("fbdev: fbcon: Properly revert changes when
>> vc_resize() failed")
>>
>> Thanks,
> 
> I was just about to report this.
> 
> I found two ways to fix this bug. One is to revert this patch; the other
> is to apply the following 3 patches, which are already present in 5.11
> and later:
> 
> 7a089ec7d77fe7d50f6bb7b178fa25eec9fd822b
>     console: Delete unused con_font_copy() callback implementations
> 
> 4ee573086bd88ff3060dda07873bf755d332e9ba
>     Fonts: Add charcount field to font_desc
> 
> a1ac250a82a5e97db71f14101ff7468291a6aaef
>     fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font
>     charcount
> 
> (Oh, by the way, this same regression also affects 5.4.302, and the same
> 3 patches fix the regression on 5.4 as well, once you manually fix merge
> conflicts. Maybe it would be better to backport other additional commits
> instead of fixing the merge conflicts manually, but since 5.4 is now EOL
> I didn't dig that deep.)
> 
> Once these 3 patches are applied, I wonder if a5a923038d70 now becomes
> necessary for 5.10.y. For what it's worth, it applies fine and the
> resulting kernel seems to run OK in brief testing.
> 

Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*

[Woody Suwalski]

Vitaly Chikunov wrote:
> Dear linux-fbdev, stable,
>
> On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote:
>> bit_putcs_aligned()/unaligned() derived the glyph pointer from the
>> character value masked by 0xff/0x1ff, which may exceed the actual font's
>> glyph count and read past the end of the built-in font array.
>> Clamp the index to the actual glyph count before computing the address.
>>
>> This fixes a global out-of-bounds read reported by syzbot.
>>
>> Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
>> Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>> Signed-off-by: Junjie Cao <junjie.cao@intel.com>
> This commit is applied to v5.10.247 and causes a regression: when
> switching VT with ctrl-alt-f2 the screen is blank or completely filled
> with angle characters, then new text is not appearing (or not visible).
>
> This commit is found with git bisect from v5.10.246 to v5.10.247:
>
>    0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit
>    commit 0998a6cb232674408a03e8561dc15aa266b2f53b
>    Author:     Junjie Cao <junjie.cao@intel.com>
>    AuthorDate: 2025-10-20 21:47:01 +0800
>    Commit:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>    CommitDate: 2025-12-07 06:08:07 +0900
>
>        fbdev: bitblit: bound-check glyph index in bit_putcs*
>
>        commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream.
>
>        bit_putcs_aligned()/unaligned() derived the glyph pointer from the
>        character value masked by 0xff/0x1ff, which may exceed the actual font's
>        glyph count and read past the end of the built-in font array.
>        Clamp the index to the actual glyph count before computing the address.
>
>        This fixes a global out-of-bounds read reported by syzbot.
>
>        Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>        Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
>        Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>        Signed-off-by: Junjie Cao <junjie.cao@intel.com>
>        Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
>        Signed-off-by: Helge Deller <deller@gmx.de>
>        Cc: stable@vger.kernel.org
>        Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
>     drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
>     1 file changed, 12 insertions(+), 4 deletions(-)
>
> The minimal reproducer in cli, after kernel is booted:
>
>    date >/dev/tty2; chvt 2
>
> and the date does not appear.
>
> Thanks,
>
> #regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b
>
>> ---
>> v1: https://lore.kernel.org/linux-fbdev/5d237d1a-a528-4205-a4d8-71709134f1e1@suse.de/
>> v1 -> v2:
>>   - Fix indentation and add blank line after declarations with the .pl helper
>>   - No functional changes
>>
>>   drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
>>   1 file changed, 12 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c
>> index 9d2e59796c3e..085ffb44c51a 100644
>> --- a/drivers/video/fbdev/core/bitblit.c
>> +++ b/drivers/video/fbdev/core/bitblit.c
>> @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info,
>>   				     struct fb_image *image, u8 *buf, u8 *dst)
>>   {
>>   	u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
>> +	unsigned int charcnt = vc->vc_font.charcount;
>>   	u32 idx = vc->vc_font.width >> 3;
>>   	u8 *src;
>>   
>>   	while (cnt--) {
>> -		src = vc->vc_font.data + (scr_readw(s++)&
>> -					  charmask)*cellsize;
>> +		u16 ch = scr_readw(s++) & charmask;
>> +
>> +		if (ch >= charcnt)
>> +			ch = 0;
>> +		src = vc->vc_font.data + (unsigned int)ch * cellsize;
>>   
>>   		if (attr) {
>>   			update_attr(buf, src, attr, vc);
>> @@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(struct vc_data *vc,
>>   				       u8 *dst)
>>   {
>>   	u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
>> +	unsigned int charcnt = vc->vc_font.charcount;
>>   	u32 shift_low = 0, mod = vc->vc_font.width % 8;
>>   	u32 shift_high = 8;
>>   	u32 idx = vc->vc_font.width >> 3;
>>   	u8 *src;
>>   
>>   	while (cnt--) {
>> -		src = vc->vc_font.data + (scr_readw(s++)&
>> -					  charmask)*cellsize;
>> +		u16 ch = scr_readw(s++) & charmask;
>> +
>> +		if (ch >= charcnt)
>> +			ch = 0;
>> +		src = vc->vc_font.data + (unsigned int)ch * cellsize;
>>   
>>   		if (attr) {
>>   			update_attr(buf, src, attr, vc);
>> -- 
>> 2.48.1
>>
I have done the same bisecting work, too bad I did not notice Vitaly's 
work earlier :-(

There is a "cheap" workaround for systems before 5.11, (not addressing 
the root issue but) working:

diff --git a/drivers/video/fbdev/core/bitblit.c 
b/drivers/video/fbdev/core/bitblit.c
index 7c2fc9f..c5a1a9d 100644
--- a/drivers/video/fbdev/core/bitblit.c
+++ b/drivers/video/fbdev/core/bitblit.c
@@ -86,7 +86,7 @@ static inline void bit_putcs_aligned(struct vc_data 
*vc, struct fb_info *info,
      while (cnt--) {
          u16 ch = scr_readw(s++) & charmask;

-        if (ch >= charcnt)
+        if (charcnt && ch >= charcnt)
              ch = 0;
          src = vc->vc_font.data + (unsigned int)ch * cellsize;

@@ -125,7 +125,7 @@ static inline void bit_putcs_unaligned(struct 
vc_data *vc,
      while (cnt--) {
          u16 ch = scr_readw(s++) & charmask;

-        if (ch >= charcnt)
+        if (charcnt && ch >= charcnt)
              ch = 0;
          src = vc->vc_font.data + (unsigned int)ch * cellsize;

I will try next to go full backport from 5.11 as Thorsten has suggested.

However the bigger problem is that the fbdev patch has landed in the 
5.4.302 EOL, and essentially the 5.4 EOL kernel is now hanging broken :-(

Thanks, Woody

Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*

[Woody Suwalski]

Woody Suwalski wrote:
> Vitaly Chikunov wrote:
>> Dear linux-fbdev, stable,
>>
>> On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote:
>>> bit_putcs_aligned()/unaligned() derived the glyph pointer from the
>>> character value masked by 0xff/0x1ff, which may exceed the actual 
>>> font's
>>> glyph count and read past the end of the built-in font array.
>>> Clamp the index to the actual glyph count before computing the address.
>>>
>>> This fixes a global out-of-bounds read reported by syzbot.
>>>
>>> Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>>> Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
>>> Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>>> Signed-off-by: Junjie Cao <junjie.cao@intel.com>
>> This commit is applied to v5.10.247 and causes a regression: when
>> switching VT with ctrl-alt-f2 the screen is blank or completely filled
>> with angle characters, then new text is not appearing (or not visible).
>>
>> This commit is found with git bisect from v5.10.246 to v5.10.247:
>>
>>    0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit
>>    commit 0998a6cb232674408a03e8561dc15aa266b2f53b
>>    Author:     Junjie Cao <junjie.cao@intel.com>
>>    AuthorDate: 2025-10-20 21:47:01 +0800
>>    Commit:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>    CommitDate: 2025-12-07 06:08:07 +0900
>>
>>        fbdev: bitblit: bound-check glyph index in bit_putcs*
>>
>>        commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream.
>>
>>        bit_putcs_aligned()/unaligned() derived the glyph pointer from 
>> the
>>        character value masked by 0xff/0x1ff, which may exceed the 
>> actual font's
>>        glyph count and read past the end of the built-in font array.
>>        Clamp the index to the actual glyph count before computing the 
>> address.
>>
>>        This fixes a global out-of-bounds read reported by syzbot.
>>
>>        Reported-by: 
>> syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>>        Closes: 
>> https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
>>        Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
>>        Signed-off-by: Junjie Cao <junjie.cao@intel.com>
>>        Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
>>        Signed-off-by: Helge Deller <deller@gmx.de>
>>        Cc: stable@vger.kernel.org
>>        Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>
>>     drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
>>     1 file changed, 12 insertions(+), 4 deletions(-)
>>
>> The minimal reproducer in cli, after kernel is booted:
>>
>>    date >/dev/tty2; chvt 2
>>
>> and the date does not appear.
>>
>> Thanks,
>>
>> #regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b
>>
>>> ---
>>> v1: 
>>> https://lore.kernel.org/linux-fbdev/5d237d1a-a528-4205-a4d8-71709134f1e1@suse.de/
>>> v1 -> v2:
>>>   - Fix indentation and add blank line after declarations with the 
>>> .pl helper
>>>   - No functional changes
>>>
>>>   drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
>>>   1 file changed, 12 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/video/fbdev/core/bitblit.c 
>>> b/drivers/video/fbdev/core/bitblit.c
>>> index 9d2e59796c3e..085ffb44c51a 100644
>>> --- a/drivers/video/fbdev/core/bitblit.c
>>> +++ b/drivers/video/fbdev/core/bitblit.c
>>> @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct 
>>> vc_data *vc, struct fb_info *info,
>>>                        struct fb_image *image, u8 *buf, u8 *dst)
>>>   {
>>>       u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
>>> +    unsigned int charcnt = vc->vc_font.charcount;
>>>       u32 idx = vc->vc_font.width >> 3;
>>>       u8 *src;
>>>         while (cnt--) {
>>> -        src = vc->vc_font.data + (scr_readw(s++)&
>>> -                      charmask)*cellsize;
>>> +        u16 ch = scr_readw(s++) & charmask;
>>> +
>>> +        if (ch >= charcnt)
>>> +            ch = 0;
>>> +        src = vc->vc_font.data + (unsigned int)ch * cellsize;
>>>             if (attr) {
>>>               update_attr(buf, src, attr, vc);
>>> @@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(struct 
>>> vc_data *vc,
>>>                          u8 *dst)
>>>   {
>>>       u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
>>> +    unsigned int charcnt = vc->vc_font.charcount;
>>>       u32 shift_low = 0, mod = vc->vc_font.width % 8;
>>>       u32 shift_high = 8;
>>>       u32 idx = vc->vc_font.width >> 3;
>>>       u8 *src;
>>>         while (cnt--) {
>>> -        src = vc->vc_font.data + (scr_readw(s++)&
>>> -                      charmask)*cellsize;
>>> +        u16 ch = scr_readw(s++) & charmask;
>>> +
>>> +        if (ch >= charcnt)
>>> +            ch = 0;
>>> +        src = vc->vc_font.data + (unsigned int)ch * cellsize;
>>>             if (attr) {
>>>               update_attr(buf, src, attr, vc);
>>> -- 
>>> 2.48.1
>>>
> I have done the same bisecting work, too bad I did not notice Vitaly's 
> work earlier :-(
>
> There is a "cheap" workaround for systems before 5.11, (not addressing 
> the root issue but) working:
>
> diff --git a/drivers/video/fbdev/core/bitblit.c 
> b/drivers/video/fbdev/core/bitblit.c
> index 7c2fc9f..c5a1a9d 100644
> --- a/drivers/video/fbdev/core/bitblit.c
> +++ b/drivers/video/fbdev/core/bitblit.c
> @@ -86,7 +86,7 @@ static inline void bit_putcs_aligned(struct vc_data 
> *vc, struct fb_info *info,
>      while (cnt--) {
>          u16 ch = scr_readw(s++) & charmask;
>
> -        if (ch >= charcnt)
> +        if (charcnt && ch >= charcnt)
>              ch = 0;
>          src = vc->vc_font.data + (unsigned int)ch * cellsize;
>
> @@ -125,7 +125,7 @@ static inline void bit_putcs_unaligned(struct 
> vc_data *vc,
>      while (cnt--) {
>          u16 ch = scr_readw(s++) & charmask;
>
> -        if (ch >= charcnt)
> +        if (charcnt && ch >= charcnt)
>              ch = 0;
>          src = vc->vc_font.data + (unsigned int)ch * cellsize;
>
> I will try next to go full backport from 5.11 as Thorsten has suggested.
>
> However the bigger problem is that the fbdev patch has landed in the 
> 5.4.302 EOL, and essentially the 5.4 EOL kernel is now hanging broken :-(
>
> Thanks, Woody
>
I have tested the solution of backporting the series of patches from 
5.11, it seems to be working OK.
However for the soon-to-be-EOL 5.10 and already EOL'ed 5.4 I would 
suggest a simpler solution where we replace  most of the logic from 5.11 
with a hardcoded charcnt=256, if charcnt not set. This would take 
advantage of the bugfix from Junjie, and be a minimal change for the 
5.10 kernel (works on 5.4 as well)

--- a/drivers/video/fbdev/core/bitblit.c    2026-01-10 
16:28:37.438569812 -0500
+++ b/drivers/video/fbdev/core/bitblit.c    2026-01-10 
16:32:51.356236549 -0500
@@ -86,6 +86,8 @@ static inline void bit_putcs_aligned(str
      while (cnt--) {
          u16 ch = scr_readw(s++) & charmask;

+        if (charcnt == 0)
+            charcnt = 256;
          if (ch >= charcnt)
              ch = 0;
          src = vc->vc_font.data + (unsigned int)ch * cellsize;
@@ -125,6 +127,8 @@ static inline void bit_putcs_unaligned(s
      while (cnt--) {
          u16 ch = scr_readw(s++) & charmask;

+        if (charcnt == 0)
+            charcnt = 256;
          if (ch >= charcnt)
              ch = 0;
          src = vc->vc_font.data + (unsigned int)ch * cellsize;

Thanks, Woody