Hi,
thanks for the patch.
Am 18.01.26 um 01:18 schrieb Osama Abdelkader:
The sys_fillrect function was missing bounds validation, which could lead
to vmalloc-out-of-bounds writes when the rectangle coordinates extend
beyond the framebuffer's virtual resolution. This was detected by KASAN
and reported by syzkaller.
Add validation to:
1. Check that width and height are non-zero
2. Verify that dx and dy are within virtual resolution bounds
3. Clip the rectangle dimensions to fit within virtual resolution if needed
This is rather a problem with the caller of the fillrect helper and
affects all drivers and all implementations of fb_fillrect. Clipping
should happen in the fbcon functions before invoking ->fb_con.
Best regards
Thomas
This follows the same pattern used in other framebuffer drivers like
pm2fb_fillrect.
Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=7a63ce155648954e749b
Signed-off-by: Osama Abdelkader <[email protected]>
---
drivers/video/fbdev/core/sysfillrect.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/core/sysfillrect.c
b/drivers/video/fbdev/core/sysfillrect.c
index 12eea3e424bb..73fc322ff8fd 100644
--- a/drivers/video/fbdev/core/sysfillrect.c
+++ b/drivers/video/fbdev/core/sysfillrect.c
@@ -7,6 +7,7 @@
#include <linux/module.h>
#include <linux/fb.h>
#include <linux/bitrev.h>
+#include <linux/string.h>
#include <asm/types.h>
#ifdef CONFIG_FB_SYS_REV_PIXELS_IN_BYTE
@@ -18,10 +19,28 @@
void sys_fillrect(struct fb_info *p, const struct fb_fillrect *rect)
{
+ struct fb_fillrect modded;
+ int vxres, vyres;
+
if (!(p->flags & FBINFO_VIRTFB))
fb_warn_once(p, "%s: framebuffer is not in virtual address
space.\n", __func__);
- fb_fillrect(p, rect);
+ vxres = p->var.xres_virtual;
+ vyres = p->var.yres_virtual;
+
+ /* Validate and clip rectangle to virtual resolution */
+ if (!rect->width || !rect->height ||
+ rect->dx >= vxres || rect->dy >= vyres)
+ return;
+
+ memcpy(&modded, rect, sizeof(struct fb_fillrect));
+
+ if (modded.dx + modded.width > vxres)
+ modded.width = vxres - modded.dx;
+ if (modded.dy + modded.height > vyres)
+ modded.height = vyres - modded.dy;
+
+ fb_fillrect(p, &modded);
}
EXPORT_SYMBOL(sys_fillrect);
--
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com
GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)
