Re: [PATCH] fbcon: Fix OOB access in font allocation

Sat, 27 Sep 2025 15:50:21 -0700 

On Mon, Sep 22, 2025 at 03:45:54PM +0200, Thomas Zimmermann wrote:
> Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
> introduced an out-of-bounds access by storing data and allocation sizes
> in the same variable. Restore the old size calculation and use the new
> variable 'alloc_size' for the allocation.
> 
> Signed-off-by: Thomas Zimmermann <[email protected]>
> Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
> Reported-by: Jani Nikula <[email protected]>
> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020
> Cc: Samasth Norway Ananda <[email protected]>
> Cc: Thomas Zimmermann <[email protected]>
> Cc: George Kennedy <[email protected]>
> Cc: Greg Kroah-Hartman <[email protected]>
> Cc: Simona Vetter <[email protected]>
> Cc: Helge Deller <[email protected]>
> Cc: "Ville Syrjälä" <[email protected]>
> Cc: Sam Ravnborg <[email protected]>
> Cc: Qianqiang Liu <[email protected]>
> Cc: Shixiong Ou <[email protected]>
> Cc: Kees Cook <[email protected]>
> Cc: <[email protected]> # v5.9+
> Cc: Zsolt Kajtar <[email protected]>
> ---
>  drivers/video/fbdev/core/fbcon.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/video/fbdev/core/fbcon.c 
> b/drivers/video/fbdev/core/fbcon.c
> index 5fade44931b8..c1c0cdd7597c 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -2518,7 +2518,7 @@ static int fbcon_set_font(struct vc_data *vc, const 
> struct console_font *font,
>       unsigned charcount = font->charcount;
>       int w = font->width;
>       int h = font->height;
> -     int size;
> +     int size, alloc_size;
>       int i, csum;
>       u8 *new_data, *data = font->data;
>       int pitch = PITCH(font->width);
> @@ -2551,10 +2551,10 @@ static int fbcon_set_font(struct vc_data *vc, const 
> struct console_font *font,
>               return -EINVAL;
>  
>       /* Check for overflow in allocation size calculation */
> -     if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size))
> +     if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, 
> &alloc_size))
>               return -EINVAL;
>  
> -     new_data = kmalloc(size, GFP_USER);
> +     new_data = kmalloc(alloc_size, GFP_USER);
>  
>       if (!new_data)
>               return -ENOMEM;
> -- 
> 2.51.0

Reviewed-by: Qianqiang Liu <[email protected]>

-- 
Best,
Qianqiang Liu

Reply via email to