lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <b4af6e84-6555-4629-8291-fc4c2c99390b@gmx.de>
Date: Sat, 4 Oct 2025 02:43:33 +0200
From: Helge Deller <deller@....de>
To: Albin Babu Varghese <albinbabuvarghese20@...il.com>,
 Simona Vetter <simona@...ll.ch>
Cc: syzbot+48b0652a95834717f190@...kaller.appspotmail.com,
 linux-fbdev@...r.kernel.org, dri-devel@...ts.freedesktop.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] fbdev: Add bounds checking in bit_putcs to fix
 vmalloc-out-of-bounds

On 10/3/25 09:32, Albin Babu Varghese wrote:
> Add bounds checking to prevent writes past framebuffer boundaries when
> rendering text near screen edges. Return early if the Y position is off-screen
> and clip image height to screen boundary. Break from the rendering loop if the
> X position is off-screen. When clipping image width to fit the screen, update
> the character count to match the clipped width to prevent buffer size
> mismatches.
> 
> Without the character count update, bit_putcs_aligned and bit_putcs_unaligned
> receive mismatched parameters where the buffer is allocated for the clipped
> width but cnt reflects the original larger count, causing out-of-bounds writes.
> 
> Reported-by: syzbot+48b0652a95834717f190@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=48b0652a95834717f190
> Suggested-by: Helge Deller <deller@....de>
> Tested-by: syzbot+48b0652a95834717f190@...kaller.appspotmail.com
> Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@...il.com>
> ---
> Changes in v2:
> - Partially render when height exceeding screen boundaries instead of skipping
> - Update character count when width is clipped to prevent buffer mismatch
> 
> Link to v1:
> https://lore.kernel.org/all/20250927075010.119671-1-albinbabuvarghese20@gmail.com/
> ---
>   drivers/video/fbdev/core/bitblit.c | 20 ++++++++++++++++++++
>   1 file changed, 20 insertions(+)

applied.

Thanks!
Helge

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ