diff mbox series

[4.19] fbmem: add margin check to fb_check_caps()

Message ID 20210902061048.1703559-1-mudongliangabcd@gmail.com
State Superseded
Headers show
Series [4.19] fbmem: add margin check to fb_check_caps() | expand

Commit Message

Dongliang Mu Sept. 2, 2021, 6:10 a.m. UTC 
[ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]

A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting
or yres setting in struct fb_var_screeninfo will result in a
KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as
the margins are being cleared. The margins are cleared in
chunks and if the xres setting or yres setting is a value of
zero upto the chunk size, the failure will occur.

Add a margin check to validate xres and yres settings.

Note that, this patch needs special handling to backport it to linux
kernel 4.19, 4.14, 4.9, 4.4.

Signed-off-by: George Kennedy <george.kennedy@oracle.com>
Reported-by: syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Dhaval Giani <dhaval.giani@oracle.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1594149963-13801-1-git-send-email-george.kennedy@oracle.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/fbdev/core/fbmem.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Greg Kroah-Hartman Sept. 3, 2021, 1:55 p.m. UTC | #1 
On Thu, Sep 02, 2021 at 02:10:48PM +0800, Dongliang Mu wrote:
> [ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]

> 

> A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting

> or yres setting in struct fb_var_screeninfo will result in a

> KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as

> the margins are being cleared. The margins are cleared in

> chunks and if the xres setting or yres setting is a value of

> zero upto the chunk size, the failure will occur.

> 

> Add a margin check to validate xres and yres settings.

> 

> Note that, this patch needs special handling to backport it to linux

> kernel 4.19, 4.14, 4.9, 4.4.


Looks like this is already in the 4.4.283, 4.9.282, 4.14.246, and
4.19.206 kernel releases.  Can you check them to verify that it matches
your backport as well?

thanks,

greg k-h
Dongliang Mu Sept. 4, 2021, 2:12 a.m. UTC | #2 
On Fri, Sep 3, 2021 at 9:55 PM Greg KH <gregkh@linuxfoundation.org> wrote:
>

> On Thu, Sep 02, 2021 at 02:10:48PM +0800, Dongliang Mu wrote:

> > [ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]

> >

> > A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting

> > or yres setting in struct fb_var_screeninfo will result in a

> > KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as

> > the margins are being cleared. The margins are cleared in

> > chunks and if the xres setting or yres setting is a value of

> > zero upto the chunk size, the failure will occur.

> >

> > Add a margin check to validate xres and yres settings.

> >

> > Note that, this patch needs special handling to backport it to linux

> > kernel 4.19, 4.14, 4.9, 4.4.

>

> Looks like this is already in the 4.4.283, 4.9.282, 4.14.246, and

> 4.19.206 kernel releases.  Can you check them to verify that it matches

> your backport as well?


Yes, I have seen them in these releases and they are fine to me.

>

> thanks,

>

> greg k-h
diff mbox series

Patch

diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 84845275dbef..de04c097d67c 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -991,6 +991,10 @@  fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var)
 			goto done;
 		}
 
+		/* bitfill_aligned() assumes that it's at least 8x8 */
+		if (var->xres < 8 || var->yres < 8)
+			return -EINVAL;
+
 		ret = info->fbops->fb_check_var(var, info);
 
 		if (ret)