From: Kees Cook kees@kernel.org
[ Upstream commit cedc1b63394a866bf8663a3e40f4546f1d28c8d8 ]
It looks like attempting to write to the "store_modes" sysfs node will run afoul of unregistered consoles:
UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28 index -1 is out of range for type 'fb_info *[32]' ... fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122 fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048 fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673 store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113 dev_attr_store+0x55/0x80 drivers/base/core.c:2439
static struct fb_info *fbcon_registered_fb[FB_MAX]; ... static signed char con2fb_map[MAX_NR_CONSOLES]; ... static struct fb_info *fbcon_info_from_console(int console) ... return fbcon_registered_fb[con2fb_map[console]];
If con2fb_map contains a -1 things go wrong here. Instead, return NULL, as callers of fbcon_info_from_console() are trying to compare against existing "info" pointers, so error handling should kick in correctly.
Reported-by: syzbot+a7d4444e7b6e743572f7@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/679d0a8f.050a0220.163cdc.000c.GAE@google.com/ Signed-off-by: Kees Cook kees@kernel.org Signed-off-by: Helge Deller deller@gmx.de Signed-off-by: Sasha Levin sashal@kernel.org ---
**YES** This commit should be backported to stable kernel trees. Here's my analysis: ## Security and Stability Issue This commit fixes a critical **array-index-out-of-bounds vulnerability** that can be triggered via sysfs. The issue occurs when `con2fb_map[console]` contains `-1`, causing `fbcon_info_from_console()` to access `fbcon_registered_fb[-1]`, which is an out-of-bounds array access. ## Bug Analysis The problem is in the `fbcon_info_from_console()` function at line 122: ```c // Before fix: return fbcon_registered_fb[con2fb_map[console]]; // After fix: fb = con2fb_map[console]; if (fb < 0 || fb >= ARRAY_SIZE(fbcon_registered_fb)) return NULL; return fbcon_registered_fb[fb]; ``` ## Trigger Path The vulnerability can be triggered through: 1. **sysfs interface**: Writing to `/sys/class/graphics/fbX/modes` 2. **Call chain**: `store_modes()` → `fb_new_modelist()` → `fbcon_new_modelist()` → `fbcon_info_from_console()` 3. **User-accessible**: This is exploitable from userspace through the sysfs interface ## Code Context from Analysis Based on the git blame, the vulnerable code path in `fbcon_new_modelist()` has existed since: - Original code from **2005** (Linus Torvalds) - The problematic `fbcon_info_from_console()` call was added in **2022** by commit `409d6c95f9c6` ("fbcon: Introduce wrapper for console->fb_info lookup") ## Risk Assessment 1. **High Impact**: UBSAN array bounds violation, potential for memory corruption 2. **User Triggerable**: Accessible via standard sysfs interface 3. **Long- standing**: The vulnerable pattern has existed since 2022 when the wrapper was introduced 4. **Active Exploitation**: Reported by syzbot, indicating active fuzzing found this issue ## Backport Suitability 1. **Small & Contained**: Only 6 lines changed in a single function 2. **Safe Fix**: Adds bounds checking without changing logic flow 3. **No Dependencies**: The fix is self-contained and doesn't require other commits 4. **Clear Bug**: Definitively fixes out-of-bounds access with proper NULL return 5. **Stable Pattern**: Callers already handle NULL returns from `fbcon_info_from_console()` ## Comparison to Historical Precedent Looking at the similar commits provided: - **Similar Commit #1** (Backport Status: YES): Fixed boundary checks in fbcon parameter parsing - this follows the same pattern of fixing bounds issues in fbcon - The other NO commits were architectural changes or refactoring, not security fixes This commit perfectly fits the stable tree criteria: it's an important bugfix, has minimal regression risk, is contained to a single subsystem, and fixes a user-triggerable vulnerability.
drivers/video/fbdev/core/fbcon.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 07d127110ca4c..c98786996c647 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -117,9 +117,14 @@ static signed char con2fb_map_boot[MAX_NR_CONSOLES];
static struct fb_info *fbcon_info_from_console(int console) { + signed char fb; WARN_CONSOLE_UNLOCKED();
- return fbcon_registered_fb[con2fb_map[console]]; + fb = con2fb_map[console]; + if (fb < 0 || fb >= ARRAY_SIZE(fbcon_registered_fb)) + return NULL; + + return fbcon_registered_fb[fb]; }
static int logo_lines;