[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220730081246.4567-1-khalid.masum.92@gmail.com>
Date: Sat, 30 Jul 2022 14:12:46 +0600
From: Khalid Masum <khalid.masum.92@...il.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
syzbot+14b0e8f3fd1612e35350@...kaller.appspotmail.com
Cc: khalid.masum.92@...il.com, khalid.masum@....com
Subject: Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)
Currently the if block's condition has an unhandled case, where the
result of ret might get greater than vc->vc_scr_end, and therefore
the corresponding handler in else block never gets executed. Which
eventually causes panic in fast_imageblit.
Add this extra check in the conditions to fix this breakage.
#syz-test: https://github.com/torvalds/linux.git e0dccc3b76fb
---
drivers/video/fbdev/core/fbcon.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 1a9aa12cf886..d026f3845b60 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2591,14 +2591,13 @@ static unsigned long fbcon_getxy(struct vc_data *vc, unsigned long pos,
{
unsigned long ret;
int x, y;
+ unsigned long offset = (pos - vc->vc_origin) / 2;
+ x = offset % vc->vc_cols;
+ y = offset / vc->vc_cols;
+ ret = pos + (vc->vc_cols - x) * 2;
- if (pos >= vc->vc_origin && pos < vc->vc_scr_end) {
- unsigned long offset = (pos - vc->vc_origin) / 2;
-
- x = offset % vc->vc_cols;
- y = offset / vc->vc_cols;
- ret = pos + (vc->vc_cols - x) * 2;
- } else {
+ if (!pos >= vc->vc_origin || !pos < vc->vc_scr_end ||
+ !ret < vc->vc_scr_end) {
/* Should not happen */
x = y = 0;
ret = vc->vc_origin;
--
2.36.1
Powered by blists - more mailing lists