| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5b5ec5ea-7a81-457c-9ab1-6c56a722c5e5@gmx.de> Date: Tue, 28 Oct 2025 22:23:59 +0100 From: Helge Deller <deller@....de> To: linux-fbdev@...r.kernel.org, dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs* On 10/20/25 16:29, Thomas Zimmermann wrote: > Hi > > Am 20.10.25 um 15:47 schrieb Junjie Cao: >> bit_putcs_aligned()/unaligned() derived the glyph pointer from the >> character value masked by 0xff/0x1ff, which may exceed the actual font's >> glyph count and read past the end of the built-in font array. >> Clamp the index to the actual glyph count before computing the address. >> >> This fixes a global out-of-bounds read reported by syzbot. >> >> Reported-by: syzbot+793cf822d213be1a74f2@...kaller.appspotmail.com >> Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 >> Tested-by: syzbot+793cf822d213be1a74f2@...kaller.appspotmail.com >> Signed-off-by: Junjie Cao <junjie.cao@...el.com> > > Reviewed-by: Thomas Zimmermann <tzimmermann@...e.de> ... >> v1: https://lore.kernel.org/linux-fbdev/5d237d1a-a528-4205-a4d8-71709134f1e1@suse.de/ >> v1 -> v2: >> - Fix indentation and add blank line after declarations with the .pl helper >> - No functional changes >> >> drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++---- >> 1 file changed, 12 insertions(+), 4 deletions(-) applied. Thanks! Helge
Powered by blists - more mailing lists