Message ID | 20210902061048.1703559-1-mudongliangabcd@gmail.com (mailing list archive) |
---|---|
State | Not Applicable |
Headers | show |
Series | [4.19] fbmem: add margin check to fb_check_caps() | expand |
On Thu, Sep 02, 2021 at 02:10:48PM +0800, Dongliang Mu wrote: > [ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ] > > A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting > or yres setting in struct fb_var_screeninfo will result in a > KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as > the margins are being cleared. The margins are cleared in > chunks and if the xres setting or yres setting is a value of > zero upto the chunk size, the failure will occur. > > Add a margin check to validate xres and yres settings. > > Note that, this patch needs special handling to backport it to linux > kernel 4.19, 4.14, 4.9, 4.4. Looks like this is already in the 4.4.283, 4.9.282, 4.14.246, and 4.19.206 kernel releases. Can you check them to verify that it matches your backport as well? thanks, greg k-h
On Fri, Sep 3, 2021 at 9:55 PM Greg KH <gregkh@linuxfoundation.org> wrote: > > On Thu, Sep 02, 2021 at 02:10:48PM +0800, Dongliang Mu wrote: > > [ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ] > > > > A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting > > or yres setting in struct fb_var_screeninfo will result in a > > KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as > > the margins are being cleared. The margins are cleared in > > chunks and if the xres setting or yres setting is a value of > > zero upto the chunk size, the failure will occur. > > > > Add a margin check to validate xres and yres settings. > > > > Note that, this patch needs special handling to backport it to linux > > kernel 4.19, 4.14, 4.9, 4.4. > > Looks like this is already in the 4.4.283, 4.9.282, 4.14.246, and > 4.19.206 kernel releases. Can you check them to verify that it matches > your backport as well? Yes, I have seen them in these releases and they are fine to me. > > thanks, > > greg k-h
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 84845275dbef..de04c097d67c 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -991,6 +991,10 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var) goto done; } + /* bitfill_aligned() assumes that it's at least 8x8 */ + if (var->xres < 8 || var->yres < 8) + return -EINVAL; + ret = info->fbops->fb_check_var(var, info); if (ret)