lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <5d237d1a-a528-4205-a4d8-71709134f1e1@suse.de>
Date: Mon, 20 Oct 2025 10:21:21 +0200
From: Thomas Zimmermann <tzimmermann@...e.de>
To: Junjie Cao <junjie.cao@...el.com>, Simona Vetter <simona@...ll.ch>,
 Helge Deller <deller@....de>, Zsolt Kajtar <soci@....rulez.org>
Cc: Albin Babu Varghese <albinbabuvarghese20@...il.com>,
 linux-fbdev@...r.kernel.org, dri-devel@...ts.freedesktop.org,
 linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
 syzbot+793cf822d213be1a74f2@...kaller.appspotmail.com
Subject: Re: [PATCH] fbdev: bitblit: bound-check glyph index in bit_putcs*

Hi

Am 20.10.25 um 01:53 schrieb Junjie Cao:
> bit_putcs_aligned()/unaligned() derived the glyph pointer from the
> character value masked by 0xff/0x1ff, which may exceed the actual font's
> glyph count and read past the end of the built-in font array.
> Clamp the index to the actual glyph count before computing the address.
>
> This fixes a global out-of-bounds read reported by syzbot.
>
> Reported-by: syzbot+793cf822d213be1a74f2@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
> Tested-by: syzbot+793cf822d213be1a74f2@...kaller.appspotmail.com
> Signed-off-by: Junjie Cao <junjie.cao@...el.com>
> ---
>   drivers/video/fbdev/core/bitblit.c | 14 ++++++++++----
>   1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c
> index a9ec7f488522..710883831826 100644
> --- a/drivers/video/fbdev/core/bitblit.c
> +++ b/drivers/video/fbdev/core/bitblit.c
> @@ -79,12 +79,15 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info,
>   				     struct fb_image *image, u8 *buf, u8 *dst)
>   {
>   	u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
> +	unsigned int charcnt = vc->vc_font.charcount;
>   	u32 idx = vc->vc_font.width >> 3;
>   	u8 *src;
>   
>   	while (cnt--) {
> -		src = vc->vc_font.data + (scr_readw(s++)&
> -					  charmask)*cellsize;
> +		u16 ch = scr_readw(s++) & charmask;
> +	if (ch >= charcnt)
> +		ch = 0;
> +	src = vc->vc_font.data + (unsigned int)ch * cellsize;

Indention looks off.

>   
>   		if (attr) {
>   			update_attr(buf, src, attr, vc);
> @@ -112,14 +115,17 @@ static inline void bit_putcs_unaligned(struct vc_data *vc,
>   				       u8 *dst)
>   {
>   	u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
> +	unsigned int charcnt = vc->vc_font.charcount;
>   	u32 shift_low = 0, mod = vc->vc_font.width % 8;
>   	u32 shift_high = 8;
>   	u32 idx = vc->vc_font.width >> 3;
>   	u8 *src;
>   
>   	while (cnt--) {
> -		src = vc->vc_font.data + (scr_readw(s++)&
> -					  charmask)*cellsize;
> +		u16 ch = scr_readw(s++) & charmask;
> +	if (ch >= charcnt)
> +		ch = 0;
> +	src = vc->vc_font.data + (unsigned int)ch * cellsize;

Same here.

Best regards
Thomas

>   
>   		if (attr) {
>   			update_attr(buf, src, attr, vc);

-- 
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
HRB 36809 (AG Nuernberg)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ