[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <b4af6e84-6555-4629-8291-fc4c2c99390b@gmx.de>
Date: Sat, 4 Oct 2025 02:43:33 +0200
From: Helge Deller <deller@....de>
To: Albin Babu Varghese <albinbabuvarghese20@...il.com>,
Simona Vetter <simona@...ll.ch>
Cc: syzbot+48b0652a95834717f190@...kaller.appspotmail.com,
linux-fbdev@...r.kernel.org, dri-devel@...ts.freedesktop.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] fbdev: Add bounds checking in bit_putcs to fix
vmalloc-out-of-bounds
On 10/3/25 09:32, Albin Babu Varghese wrote:
> Add bounds checking to prevent writes past framebuffer boundaries when
> rendering text near screen edges. Return early if the Y position is off-screen
> and clip image height to screen boundary. Break from the rendering loop if the
> X position is off-screen. When clipping image width to fit the screen, update
> the character count to match the clipped width to prevent buffer size
> mismatches.
>
> Without the character count update, bit_putcs_aligned and bit_putcs_unaligned
> receive mismatched parameters where the buffer is allocated for the clipped
> width but cnt reflects the original larger count, causing out-of-bounds writes.
>
> Reported-by: syzbot+48b0652a95834717f190@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=48b0652a95834717f190
> Suggested-by: Helge Deller <deller@....de>
> Tested-by: syzbot+48b0652a95834717f190@...kaller.appspotmail.com
> Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@...il.com>
> ---
> Changes in v2:
> - Partially render when height exceeding screen boundaries instead of skipping
> - Update character count when width is clipped to prevent buffer mismatch
>
> Link to v1:
> https://lore.kernel.org/all/20250927075010.119671-1-albinbabuvarghese20@gmail.com/
> ---
> drivers/video/fbdev/core/bitblit.c | 20 ++++++++++++++++++++
> 1 file changed, 20 insertions(+)
applied.
Thanks!
Helge
Powered by blists - more mailing lists