Skip to content

Commit 5af0864

Browse files
peilin-yedanvet
authored andcommitted
fbcon: Fix global-out-of-bounds read in fbcon_get_font()
fbcon_get_font() is reading out-of-bounds. A malicious user may resize `vc->vc_font.height` to a large value, causing fbcon_get_font() to read out of `fontdata`. fbcon_get_font() handles both built-in and user-provided fonts. Fortunately, recently we have added FONT_EXTRA_WORDS support for built-in fonts, so fix it by adding range checks using FNTSIZE(). This patch depends on patch "fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h", and patch "Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts". Cc: [email protected] Reported-and-tested-by: [email protected] Link: https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd Signed-off-by: Peilin Ye <[email protected]> Reviewed-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Daniel Vetter <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/b34544687a1a09d6de630659eb7a773f4953238b.1600953813.git.yepeilin.cs@gmail.com
1 parent 6735b46 commit 5af0864

File tree

1 file changed

+12
-0
lines changed

1 file changed

+12
-0
lines changed

drivers/video/fbdev/core/fbcon.c

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2471,6 +2471,9 @@ static int fbcon_get_font(struct vc_data *vc, struct console_font *font)
24712471

24722472
if (font->width <= 8) {
24732473
j = vc->vc_font.height;
2474+
if (font->charcount * j > FNTSIZE(fontdata))
2475+
return -EINVAL;
2476+
24742477
for (i = 0; i < font->charcount; i++) {
24752478
memcpy(data, fontdata, j);
24762479
memset(data + j, 0, 32 - j);
@@ -2479,13 +2482,19 @@ static int fbcon_get_font(struct vc_data *vc, struct console_font *font)
24792482
}
24802483
} else if (font->width <= 16) {
24812484
j = vc->vc_font.height * 2;
2485+
if (font->charcount * j > FNTSIZE(fontdata))
2486+
return -EINVAL;
2487+
24822488
for (i = 0; i < font->charcount; i++) {
24832489
memcpy(data, fontdata, j);
24842490
memset(data + j, 0, 64 - j);
24852491
data += 64;
24862492
fontdata += j;
24872493
}
24882494
} else if (font->width <= 24) {
2495+
if (font->charcount * (vc->vc_font.height * sizeof(u32)) > FNTSIZE(fontdata))
2496+
return -EINVAL;
2497+
24892498
for (i = 0; i < font->charcount; i++) {
24902499
for (j = 0; j < vc->vc_font.height; j++) {
24912500
*data++ = fontdata[0];
@@ -2498,6 +2507,9 @@ static int fbcon_get_font(struct vc_data *vc, struct console_font *font)
24982507
}
24992508
} else {
25002509
j = vc->vc_font.height * 4;
2510+
if (font->charcount * j > FNTSIZE(fontdata))
2511+
return -EINVAL;
2512+
25012513
for (i = 0; i < font->charcount; i++) {
25022514
memcpy(data, fontdata, j);
25032515
memset(data + j, 0, 128 - j);

0 commit comments

Comments
 (0)