diff mbox series

[3/5] fbcon: Prevent that screen size is smaller than font size

Message ID 20220629200024.187187-4-deller@gmx.de (mailing list archive)
State Superseded
Headers show
Series fbcon: Fixes for screen resolution changes - round 2 | expand

Commit Message

Helge Deller June 29, 2022, 8 p.m. UTC
We need to prevent that users configure a screen size which is smaller than the
currently selected font size. Otherwise rendering chars on the screen will
access memory outside the graphics memory region.

This patch adds a new function fbcon_modechange_possible() which
implements this check and which later may be extended with other checks
if necessary.  The new function is called from the FBIOPUT_VSCREENINFO
ioctl handler in fbmem.c, which will return -EINVAL if userspace asked
for a too small screen size.

Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v5.4+
---
 drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++
 drivers/video/fbdev/core/fbmem.c |  4 +++-
 include/linux/fbcon.h            |  4 ++++
 3 files changed, 35 insertions(+), 1 deletion(-)

--
2.35.3

Comments

Geert Uytterhoeven June 30, 2022, 7:09 p.m. UTC | #1
Hi Helge,

On Wed, Jun 29, 2022 at 10:00 PM Helge Deller <deller@gmx.de> wrote:
> We need to prevent that users configure a screen size which is smaller than the
> currently selected font size. Otherwise rendering chars on the screen will
> access memory outside the graphics memory region.
> This patch adds a new function fbcon_modechange_possible() which
> implements this check and which later may be extended with other checks
> if necessary.  The new function is called from the FBIOPUT_VSCREENINFO
> ioctl handler in fbmem.c, which will return -EINVAL if userspace asked
> for a too small screen size.
>
> Signed-off-by: Helge Deller <deller@gmx.de>
> Cc: stable@vger.kernel.org # v5.4+

Thanks for your patch!

> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -2736,6 +2736,34 @@ void fbcon_update_vcs(struct fb_info *info, bool all)
>  }
>  EXPORT_SYMBOL(fbcon_update_vcs);
>
> +/* let fbcon check if it supports a new screen resolution */
> +int fbcon_modechange_possible(struct fb_info *info, struct fb_var_screeninfo *var)
> +{
> +       struct fbcon_ops *ops = info->fbcon_par;
> +       struct vc_data *vc;
> +       int i;
> +
> +       WARN_CONSOLE_UNLOCKED();
> +
> +       if (!ops || ops->currcon < 0)
> +               return -EINVAL;

So if the virtual console is _not_ used as a text console, we refuse
mode changes?

> +
> +       /* prevent setting a screen size which is smaller than font size */
> +       for (i = first_fb_vc; i <= last_fb_vc; i++) {
> +               vc = vc_cons[i].d;
> +               if (!vc || vc->vc_mode != KD_TEXT ||
> +                          registered_fb[con2fb_map[i]] != info)
> +                       continue;
> +
> +               if (vc->vc_font.width  > FBCON_SWAP(var->rotate, var->xres, var->yres) ||
> +                   vc->vc_font.height > FBCON_SWAP(var->rotate, var->yres, var->xres))
> +                       return -EINVAL;
> +       }

IMHO this looks way too fragile, and we should fix the rendering code
to handle cols == 0 || rows == 0 instead...

> +
> +       return 0;
> +}
> +EXPORT_SYMBOL(fbcon_modechange_possible);
> +
>  int fbcon_mode_deleted(struct fb_info *info,
>                        struct fb_videomode *mode)
>  {
> diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
> index e645b96d2700..324f726739c4 100644
> --- a/drivers/video/fbdev/core/fbmem.c
> +++ b/drivers/video/fbdev/core/fbmem.c
> @@ -1111,7 +1111,9 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
>                         var.xres_virtual = var.xres;
>                 if (var.yres_virtual < var.yres)
>                         var.yres_virtual = var.yres;
> -               ret = fb_set_var(info, &var);
> +               ret = fbcon_modechange_possible(info, &var);
> +               if (!ret)
> +                       ret = fb_set_var(info, &var);
>                 if (!ret)
>                         fbcon_update_vcs(info, var.activate & FB_ACTIVATE_ALL);
>                 unlock_fb_info(info);

Gr{oetje,eeting}s,

                        Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds
Geert Uytterhoeven June 30, 2022, 7:18 p.m. UTC | #2
Hi Helge,

On Thu, Jun 30, 2022 at 9:09 PM Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> On Wed, Jun 29, 2022 at 10:00 PM Helge Deller <deller@gmx.de> wrote:
> > We need to prevent that users configure a screen size which is smaller than the
> > currently selected font size. Otherwise rendering chars on the screen will
> > access memory outside the graphics memory region.
> > This patch adds a new function fbcon_modechange_possible() which
> > implements this check and which later may be extended with other checks
> > if necessary.  The new function is called from the FBIOPUT_VSCREENINFO
> > ioctl handler in fbmem.c, which will return -EINVAL if userspace asked
> > for a too small screen size.
> >
> > Signed-off-by: Helge Deller <deller@gmx.de>
> > Cc: stable@vger.kernel.org # v5.4+
>
> Thanks for your patch!
>
> > --- a/drivers/video/fbdev/core/fbcon.c
> > +++ b/drivers/video/fbdev/core/fbcon.c
> > @@ -2736,6 +2736,34 @@ void fbcon_update_vcs(struct fb_info *info, bool all)
> >  }
> >  EXPORT_SYMBOL(fbcon_update_vcs);
> >
> > +/* let fbcon check if it supports a new screen resolution */
> > +int fbcon_modechange_possible(struct fb_info *info, struct fb_var_screeninfo *var)
> > +{
> > +       struct fbcon_ops *ops = info->fbcon_par;
> > +       struct vc_data *vc;
> > +       int i;
> > +
> > +       WARN_CONSOLE_UNLOCKED();
> > +
> > +       if (!ops || ops->currcon < 0)
> > +               return -EINVAL;
>
> So if the virtual console is _not_ used as a text console, we refuse
> mode changes?
>
> > +
> > +       /* prevent setting a screen size which is smaller than font size */
> > +       for (i = first_fb_vc; i <= last_fb_vc; i++) {
> > +               vc = vc_cons[i].d;
> > +               if (!vc || vc->vc_mode != KD_TEXT ||
> > +                          registered_fb[con2fb_map[i]] != info)

Looks like registered_fb[] is wrong since commit cad564ca557f8d3b
("fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters")?

> > +                       continue;
> > +
> > +               if (vc->vc_font.width  > FBCON_SWAP(var->rotate, var->xres, var->yres) ||
> > +                   vc->vc_font.height > FBCON_SWAP(var->rotate, var->yres, var->xres))
> > +                       return -EINVAL;
> > +       }

Gr{oetje,eeting}s,

                        Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds
Helge Deller June 30, 2022, 7:40 p.m. UTC | #3
On 6/30/22 21:09, Geert Uytterhoeven wrote:
> Hi Helge,
>
> On Wed, Jun 29, 2022 at 10:00 PM Helge Deller <deller@gmx.de> wrote:
>> We need to prevent that users configure a screen size which is smaller than the
>> currently selected font size. Otherwise rendering chars on the screen will
>> access memory outside the graphics memory region.
>> This patch adds a new function fbcon_modechange_possible() which
>> implements this check and which later may be extended with other checks
>> if necessary.  The new function is called from the FBIOPUT_VSCREENINFO
>> ioctl handler in fbmem.c, which will return -EINVAL if userspace asked
>> for a too small screen size.
>>
>> Signed-off-by: Helge Deller <deller@gmx.de>
>> Cc: stable@vger.kernel.org # v5.4+
>
> Thanks for your patch!
>
>> --- a/drivers/video/fbdev/core/fbcon.c
>> +++ b/drivers/video/fbdev/core/fbcon.c
>> @@ -2736,6 +2736,34 @@ void fbcon_update_vcs(struct fb_info *info, bool all)
>>  }
>>  EXPORT_SYMBOL(fbcon_update_vcs);
>>
>> +/* let fbcon check if it supports a new screen resolution */
>> +int fbcon_modechange_possible(struct fb_info *info, struct fb_var_screeninfo *var)
>> +{
>> +       struct fbcon_ops *ops = info->fbcon_par;
>> +       struct vc_data *vc;
>> +       int i;
>> +
>> +       WARN_CONSOLE_UNLOCKED();
>> +
>> +       if (!ops || ops->currcon < 0)
>> +               return -EINVAL;
>
> So if the virtual console is _not_ used as a text console, we refuse
> mode changes?

Right, this needs to be dropped.

Helge


>> +
>> +       /* prevent setting a screen size which is smaller than font size */
>> +       for (i = first_fb_vc; i <= last_fb_vc; i++) {
>> +               vc = vc_cons[i].d;
>> +               if (!vc || vc->vc_mode != KD_TEXT ||
>> +                          registered_fb[con2fb_map[i]] != info)
>> +                       continue;
>> +
>> +               if (vc->vc_font.width  > FBCON_SWAP(var->rotate, var->xres, var->yres) ||
>> +                   vc->vc_font.height > FBCON_SWAP(var->rotate, var->yres, var->xres))
>> +                       return -EINVAL;
>> +       }
>
> IMHO this looks way too fragile, and we should fix the rendering code
> to handle cols == 0 || rows == 0 instead...

Long-term we might need both.
The code above will at least return EINVAL if users try it, while
the cols/rows=0 code just prevents rendering if it doesn't fit.

Helge

>
>> +
>> +       return 0;
>> +}
>> +EXPORT_SYMBOL(fbcon_modechange_possible);
>> +
>>  int fbcon_mode_deleted(struct fb_info *info,
>>                        struct fb_videomode *mode)
>>  {
>> diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
>> index e645b96d2700..324f726739c4 100644
>> --- a/drivers/video/fbdev/core/fbmem.c
>> +++ b/drivers/video/fbdev/core/fbmem.c
>> @@ -1111,7 +1111,9 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
>>                         var.xres_virtual = var.xres;
>>                 if (var.yres_virtual < var.yres)
>>                         var.yres_virtual = var.yres;
>> -               ret = fb_set_var(info, &var);
>> +               ret = fbcon_modechange_possible(info, &var);
>> +               if (!ret)
>> +                       ret = fb_set_var(info, &var);
>>                 if (!ret)
>>                         fbcon_update_vcs(info, var.activate & FB_ACTIVATE_ALL);
>>                 unlock_fb_info(info);
>
> Gr{oetje,eeting}s,
>
>                         Geert
>
> --
> Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
>
> In personal conversations with technical people, I call myself a hacker. But
> when I'm talking to journalists I just say "programmer" or something like that.
>                                 -- Linus Torvalds
diff mbox series

Patch

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index e162d5e753e5..278c065722b7 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2736,6 +2736,34 @@  void fbcon_update_vcs(struct fb_info *info, bool all)
 }
 EXPORT_SYMBOL(fbcon_update_vcs);

+/* let fbcon check if it supports a new screen resolution */
+int fbcon_modechange_possible(struct fb_info *info, struct fb_var_screeninfo *var)
+{
+	struct fbcon_ops *ops = info->fbcon_par;
+	struct vc_data *vc;
+	int i;
+
+	WARN_CONSOLE_UNLOCKED();
+
+	if (!ops || ops->currcon < 0)
+		return -EINVAL;
+
+	/* prevent setting a screen size which is smaller than font size */
+	for (i = first_fb_vc; i <= last_fb_vc; i++) {
+		vc = vc_cons[i].d;
+		if (!vc || vc->vc_mode != KD_TEXT ||
+			   registered_fb[con2fb_map[i]] != info)
+			continue;
+
+		if (vc->vc_font.width  > FBCON_SWAP(var->rotate, var->xres, var->yres) ||
+		    vc->vc_font.height > FBCON_SWAP(var->rotate, var->yres, var->xres))
+			return -EINVAL;
+	}
+
+	return 0;
+}
+EXPORT_SYMBOL(fbcon_modechange_possible);
+
 int fbcon_mode_deleted(struct fb_info *info,
 		       struct fb_videomode *mode)
 {
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index e645b96d2700..324f726739c4 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1111,7 +1111,9 @@  static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
 			var.xres_virtual = var.xres;
 		if (var.yres_virtual < var.yres)
 			var.yres_virtual = var.yres;
-		ret = fb_set_var(info, &var);
+		ret = fbcon_modechange_possible(info, &var);
+		if (!ret)
+			ret = fb_set_var(info, &var);
 		if (!ret)
 			fbcon_update_vcs(info, var.activate & FB_ACTIVATE_ALL);
 		unlock_fb_info(info);
diff --git a/include/linux/fbcon.h b/include/linux/fbcon.h
index ff5596dd30f8..2382dec6d6ab 100644
--- a/include/linux/fbcon.h
+++ b/include/linux/fbcon.h
@@ -15,6 +15,8 @@  void fbcon_new_modelist(struct fb_info *info);
 void fbcon_get_requirement(struct fb_info *info,
 			   struct fb_blit_caps *caps);
 void fbcon_fb_blanked(struct fb_info *info, int blank);
+int  fbcon_modechange_possible(struct fb_info *info,
+			       struct fb_var_screeninfo *var);
 void fbcon_update_vcs(struct fb_info *info, bool all);
 void fbcon_remap_all(struct fb_info *info);
 int fbcon_set_con2fb_map_ioctl(void __user *argp);
@@ -33,6 +35,8 @@  static inline void fbcon_new_modelist(struct fb_info *info) {}
 static inline void fbcon_get_requirement(struct fb_info *info,
 					 struct fb_blit_caps *caps) {}
 static inline void fbcon_fb_blanked(struct fb_info *info, int blank) {}
+static inline int  fbcon_modechange_possible(struct fb_info *info,
+				struct fb_var_screeninfo *var) { return 0; }
 static inline void fbcon_update_vcs(struct fb_info *info, bool all) {}
 static inline void fbcon_remap_all(struct fb_info *info) {}
 static inline int fbcon_set_con2fb_map_ioctl(void __user *argp) { return 0; }