From: Albin Babu Varghese albinbabuvarghese20@gmail.com
[ Upstream commit 3637d34b35b287ab830e66048841ace404382b67 ]
Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches.
Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.
Reported-by: syzbot+48b0652a95834717f190@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=48b0652a95834717f190 Suggested-by: Helge Deller deller@gmx.de Tested-by: syzbot+48b0652a95834717f190@syzkaller.appspotmail.com Signed-off-by: Albin Babu Varghese albinbabuvarghese20@gmail.com Signed-off-by: Helge Deller deller@gmx.de Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
YES - The added vertical guard in `drivers/video/fbdev/core/bitblit.c:163-166` stops the renderer before it touches rows past `info->var.yres`, directly preventing the off- screen writes that triggered the syzbot vmalloc-out-of-bounds report while leaving the rest of the rendering unchanged. - The horizontal clipping in `drivers/video/fbdev/core/bitblit.c:182-191` is the crucial fix: it refuses to draw when the start X is already off-screen, clips `image.width` to the visible span, and—most importantly—shrinks `cnt` to match the clipped width. Without that `cnt` adjustment, the subsequent calls to `bit_putcs_aligned/unaligned` (drivers/video/fbdev/core/bitblit.c:200-205) would still iterate over the original character count and walk past the pixmap buffer that was sized for the smaller width, recreating the exact overflow syzbot caught. - `bit_putcs` is the fbcon `putcs` hook (drivers/video/fbdev/core/bitblit.c:408), so this bug can be triggered by any console text write near the display edge; the overflow is real memory corruption, making this a high-priority stable fix. - The patch is self-contained to console blitting, introduces no API or structural changes, and only adds straightforward bounds checks and bookkeeping, so regression risk is low while preventing a serious crash/security issue.
Backporting this minimal defensive fix aligns with stable policy: it closes a user-visible bug (vmalloc OOB) reported by syzbot and does so with tightly scoped changes. Recommendation: apply to stable.
drivers/video/fbdev/core/bitblit.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c index f9475c14f7339..a9ec7f488522c 100644 --- a/drivers/video/fbdev/core/bitblit.c +++ b/drivers/video/fbdev/core/bitblit.c @@ -160,6 +160,11 @@ static void bit_putcs(struct vc_data *vc, struct fb_info *info, image.height = vc->vc_font.height; image.depth = 1;
+ if (image.dy >= info->var.yres) + return; + + image.height = min(image.height, info->var.yres - image.dy); + if (attribute) { buf = kmalloc(cellsize, GFP_ATOMIC); if (!buf) @@ -173,6 +178,18 @@ static void bit_putcs(struct vc_data *vc, struct fb_info *info, cnt = count;
image.width = vc->vc_font.width * cnt; + + if (image.dx >= info->var.xres) + break; + + if (image.dx + image.width > info->var.xres) { + image.width = info->var.xres - image.dx; + cnt = image.width / vc->vc_font.width; + if (cnt == 0) + break; + image.width = cnt * vc->vc_font.width; + } + pitch = DIV_ROUND_UP(image.width, 8) + scan_align; pitch &= ~scan_align; size = pitch * image.height + buf_align;