On Mon, Jan 19, 2026 at 08:38:31AM +0100, Thomas Zimmermann wrote: > Hi, > > thanks for the patch. > > Am 18.01.26 um 01:18 schrieb Osama Abdelkader: > > The sys_fillrect function was missing bounds validation, which could lead > > to vmalloc-out-of-bounds writes when the rectangle coordinates extend > > beyond the framebuffer's virtual resolution. This was detected by KASAN > > and reported by syzkaller. > > > > Add validation to: > > 1. Check that width and height are non-zero > > 2. Verify that dx and dy are within virtual resolution bounds > > 3. Clip the rectangle dimensions to fit within virtual resolution if needed > > This is rather a problem with the caller of the fillrect helper and affects > all drivers and all implementations of fb_fillrect. Clipping should happen > in the fbcon functions before invoking ->fb_con. > > Best regards > Thomas > > > > > This follows the same pattern used in other framebuffer drivers like > > pm2fb_fillrect. > > > > Reported-by: [email protected] > > Closes: https://syzkaller.appspot.com/bug?extid=7a63ce155648954e749b > > Signed-off-by: Osama Abdelkader <[email protected]> > > --- > > drivers/video/fbdev/core/sysfillrect.c | 21 ++++++++++++++++++++- > > 1 file changed, 20 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/video/fbdev/core/sysfillrect.c > > b/drivers/video/fbdev/core/sysfillrect.c > > index 12eea3e424bb..73fc322ff8fd 100644 > > --- a/drivers/video/fbdev/core/sysfillrect.c > > +++ b/drivers/video/fbdev/core/sysfillrect.c > > @@ -7,6 +7,7 @@ > > #include <linux/module.h> > > #include <linux/fb.h> > > #include <linux/bitrev.h> > > +#include <linux/string.h> > > #include <asm/types.h> > > #ifdef CONFIG_FB_SYS_REV_PIXELS_IN_BYTE > > @@ -18,10 +19,28 @@ > > void sys_fillrect(struct fb_info *p, const struct fb_fillrect *rect) > > { > > + struct fb_fillrect modded; > > + int vxres, vyres; > > + > > if (!(p->flags & FBINFO_VIRTFB)) > > fb_warn_once(p, "%s: framebuffer is not in virtual address > > space.\n", __func__); > > - fb_fillrect(p, rect); > > + vxres = p->var.xres_virtual; > > + vyres = p->var.yres_virtual; > > + > > + /* Validate and clip rectangle to virtual resolution */ > > + if (!rect->width || !rect->height || > > + rect->dx >= vxres || rect->dy >= vyres) > > + return; > > + > > + memcpy(&modded, rect, sizeof(struct fb_fillrect)); > > + > > + if (modded.dx + modded.width > vxres) > > + modded.width = vxres - modded.dx; > > + if (modded.dy + modded.height > vyres) > > + modded.height = vyres - modded.dy; > > + > > + fb_fillrect(p, &modded); > > } > > EXPORT_SYMBOL(sys_fillrect); > > -- > -- > Thomas Zimmermann > Graphics Driver Developer > SUSE Software Solutions Germany GmbH > Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com > GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg) > >
Thanks for the info. Best regards, Osama
