lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aU23brU4lZqIkw4Z@altlinux.org>
Date: Fri, 26 Dec 2025 01:29:13 +0300
From: Vitaly Chikunov <vt@...linux.org>
To: Junjie Cao <junjie.cao@...el.com>
Cc: Thomas Zimmermann <tzimmermann@...e.de>, 
	Simona Vetter <simona@...ll.ch>, Helge Deller <deller@....de>, Zsolt Kajtar <soci@....rulez.org>, 
	Albin Babu Varghese <albinbabuvarghese20@...il.com>, linux-fbdev@...r.kernel.org, dri-devel@...ts.freedesktop.org, 
	linux-kernel@...r.kernel.org, stable@...r.kernel.org, regressions@...ts.linux.dev
Subject: Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*

Dear linux-fbdev, stable,

On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote:
> bit_putcs_aligned()/unaligned() derived the glyph pointer from the
> character value masked by 0xff/0x1ff, which may exceed the actual font's
> glyph count and read past the end of the built-in font array.
> Clamp the index to the actual glyph count before computing the address.
> 
> This fixes a global out-of-bounds read reported by syzbot.
> 
> Reported-by: syzbot+793cf822d213be1a74f2@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
> Tested-by: syzbot+793cf822d213be1a74f2@...kaller.appspotmail.com
> Signed-off-by: Junjie Cao <junjie.cao@...el.com>

This commit is applied to v5.10.247 and causes a regression: when
switching VT with ctrl-alt-f2 the screen is blank or completely filled
with angle characters, then new text is not appearing (or not visible).

This commit is found with git bisect from v5.10.246 to v5.10.247:

  0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit
  commit 0998a6cb232674408a03e8561dc15aa266b2f53b
  Author:     Junjie Cao <junjie.cao@...el.com>
  AuthorDate: 2025-10-20 21:47:01 +0800
  Commit:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
  CommitDate: 2025-12-07 06:08:07 +0900

      fbdev: bitblit: bound-check glyph index in bit_putcs*

      commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream.

      bit_putcs_aligned()/unaligned() derived the glyph pointer from the
      character value masked by 0xff/0x1ff, which may exceed the actual font's
      glyph count and read past the end of the built-in font array.
      Clamp the index to the actual glyph count before computing the address.

      This fixes a global out-of-bounds read reported by syzbot.

      Reported-by: syzbot+793cf822d213be1a74f2@...kaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
      Tested-by: syzbot+793cf822d213be1a74f2@...kaller.appspotmail.com
      Signed-off-by: Junjie Cao <junjie.cao@...el.com>
      Reviewed-by: Thomas Zimmermann <tzimmermann@...e.de>
      Signed-off-by: Helge Deller <deller@....de>
      Cc: stable@...r.kernel.org
      Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>

   drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
   1 file changed, 12 insertions(+), 4 deletions(-)

The minimal reproducer in cli, after kernel is booted:

  date >/dev/tty2; chvt 2

and the date does not appear.

Thanks,

#regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b

> ---
> v1: https://lore.kernel.org/linux-fbdev/5d237d1a-a528-4205-a4d8-71709134f1e1@suse.de/
> v1 -> v2:
>  - Fix indentation and add blank line after declarations with the .pl helper
>  - No functional changes
> 
>  drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
>  1 file changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c
> index 9d2e59796c3e..085ffb44c51a 100644
> --- a/drivers/video/fbdev/core/bitblit.c
> +++ b/drivers/video/fbdev/core/bitblit.c
> @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info,
>  				     struct fb_image *image, u8 *buf, u8 *dst)
>  {
>  	u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
> +	unsigned int charcnt = vc->vc_font.charcount;
>  	u32 idx = vc->vc_font.width >> 3;
>  	u8 *src;
>  
>  	while (cnt--) {
> -		src = vc->vc_font.data + (scr_readw(s++)&
> -					  charmask)*cellsize;
> +		u16 ch = scr_readw(s++) & charmask;
> +
> +		if (ch >= charcnt)
> +			ch = 0;
> +		src = vc->vc_font.data + (unsigned int)ch * cellsize;
>  
>  		if (attr) {
>  			update_attr(buf, src, attr, vc);
> @@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(struct vc_data *vc,
>  				       u8 *dst)
>  {
>  	u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
> +	unsigned int charcnt = vc->vc_font.charcount;
>  	u32 shift_low = 0, mod = vc->vc_font.width % 8;
>  	u32 shift_high = 8;
>  	u32 idx = vc->vc_font.width >> 3;
>  	u8 *src;
>  
>  	while (cnt--) {
> -		src = vc->vc_font.data + (scr_readw(s++)&
> -					  charmask)*cellsize;
> +		u16 ch = scr_readw(s++) & charmask;
> +
> +		if (ch >= charcnt)
> +			ch = 0;
> +		src = vc->vc_font.data + (unsigned int)ch * cellsize;
>  
>  		if (attr) {
>  			update_attr(buf, src, attr, vc);
> -- 
> 2.48.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ