[ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]
A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting or yres setting in struct fb_var_screeninfo will result in a KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as the margins are being cleared. The margins are cleared in chunks and if the xres setting or yres setting is a value of zero upto the chunk size, the failure will occur.
Add a margin check to validate xres and yres settings.
Note that, this patch needs special handling to backport it to linux kernel 4.19, 4.14, 4.9, 4.4.
Signed-off-by: George Kennedy george.kennedy@oracle.com Reported-by: syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com Reviewed-by: Dan Carpenter dan.carpenter@oracle.com Cc: Dhaval Giani dhaval.giani@oracle.com Signed-off-by: Bartlomiej Zolnierkiewicz b.zolnierkie@samsung.com Link: https://patchwork.freedesktop.org/patch/msgid/1594149963-13801-1-git-send-em... Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/video/fbdev/core/fbmem.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 84845275dbef..de04c097d67c 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -991,6 +991,10 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var) goto done; }
+ /* bitfill_aligned() assumes that it's at least 8x8 */ + if (var->xres < 8 || var->yres < 8) + return -EINVAL; + ret = info->fbops->fb_check_var(var, info);
if (ret)
On Thu, Sep 02, 2021 at 02:10:48PM +0800, Dongliang Mu wrote:
[ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]
A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting or yres setting in struct fb_var_screeninfo will result in a KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as the margins are being cleared. The margins are cleared in chunks and if the xres setting or yres setting is a value of zero upto the chunk size, the failure will occur.
Add a margin check to validate xres and yres settings.
Note that, this patch needs special handling to backport it to linux kernel 4.19, 4.14, 4.9, 4.4.
Looks like this is already in the 4.4.283, 4.9.282, 4.14.246, and 4.19.206 kernel releases. Can you check them to verify that it matches your backport as well?
thanks,
greg k-h
On Fri, Sep 3, 2021 at 9:55 PM Greg KH gregkh@linuxfoundation.org wrote:
On Thu, Sep 02, 2021 at 02:10:48PM +0800, Dongliang Mu wrote:
[ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]
A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting or yres setting in struct fb_var_screeninfo will result in a KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as the margins are being cleared. The margins are cleared in chunks and if the xres setting or yres setting is a value of zero upto the chunk size, the failure will occur.
Add a margin check to validate xres and yres settings.
Note that, this patch needs special handling to backport it to linux kernel 4.19, 4.14, 4.9, 4.4.
Looks like this is already in the 4.4.283, 4.9.282, 4.14.246, and 4.19.206 kernel releases. Can you check them to verify that it matches your backport as well?
Yes, I have seen them in these releases and they are fine to me.
thanks,
greg k-h
linux-stable-mirror@lists.linaro.org
-
Dongliang Mu -
Greg KH