lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <785e9aa8-dbfa-4325-bbcd-0ab44a2feb46@leemhuis.info>
Date: Tue, 6 Jan 2026 10:04:05 +0100
From: Thorsten Leemhuis <regressions@...mhuis.info>
To: "Barry K. Nathan" <barryn@...ox.com>, Vitaly Chikunov <vt@...linux.org>,
 Junjie Cao <junjie.cao@...el.com>, Thomas Zimmermann <tzimmermann@...e.de>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Peilin Ye <yepeilin.cs@...il.com>, Daniel Vetter
 <daniel.vetter@...ll.ch>, Shigeru Yoshida <syoshida@...hat.com>,
 Simona Vetter <simona@...ll.ch>, Helge Deller <deller@....de>,
 Zsolt Kajtar <soci@....rulez.org>,
 Albin Babu Varghese <albinbabuvarghese20@...il.com>,
 linux-fbdev@...r.kernel.org, dri-devel@...ts.freedesktop.org,
 linux-kernel@...r.kernel.org, stable@...r.kernel.org,
 regressions@...ts.linux.dev, Ben Hutchings <ben@...adent.org.uk>
Subject: Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*

[Top posting to make this easy processable]

TWIMC, Ben (now CCed) meanwhile reported the problem as well:

https://lore.kernel.org/all/c5a27a57597c78553bf121d09a1b45ed86dc02a8.camel@decadent.org.uk/

There he wrote
"""
This can be fixed by backporting the following commits from 5.11:

7a089ec7d77f console: Delete unused con_font_copy() callback implementations
259a252c1f4e console: Delete dummy con_font_set() and con_font_default()
callback implementations
4ee573086bd8 Fonts: Add charcount field to font_desc
4497364e5f61 parisc/sticore: Avoid hard-coding built-in font charcount
a1ac250a82a5 fbcon: Avoid using FNTCHARCNT() and hard-coded built-in
font charcount

These all apply without fuzz and builds cleanly for x86_64 and parisc64.
"""

Ciao, Thorsten

On 12/27/25 03:04, Barry K. Nathan wrote:
> On 12/26/25 4:21 AM, Vitaly Chikunov wrote:
>> Dear linux-fbdev, stable,
>>
>> On Fri, Dec 26, 2025 at 01:29:13AM +0300, Vitaly Chikunov wrote:
>>>
>>> On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote:
>>>> bit_putcs_aligned()/unaligned() derived the glyph pointer from the
>>>> character value masked by 0xff/0x1ff, which may exceed the actual
>>>> font's
>>>> glyph count and read past the end of the built-in font array.
>>>> Clamp the index to the actual glyph count before computing the address.
>>>>
>>>> This fixes a global out-of-bounds read reported by syzbot.
>>>>
>>>> Reported-by: syzbot+793cf822d213be1a74f2@...kaller.appspotmail.com
>>>> Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
>>>> Tested-by: syzbot+793cf822d213be1a74f2@...kaller.appspotmail.com
>>>> Signed-off-by: Junjie Cao <junjie.cao@...el.com>
>>>
>>> This commit is applied to v5.10.247 and causes a regression: when
>>> switching VT with ctrl-alt-f2 the screen is blank or completely filled
>>> with angle characters, then new text is not appearing (or not visible).
>>>
>>> This commit is found with git bisect from v5.10.246 to v5.10.247:
>>>
>>>    0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit
>>>    commit 0998a6cb232674408a03e8561dc15aa266b2f53b
>>>    Author:     Junjie Cao <junjie.cao@...el.com>
>>>    AuthorDate: 2025-10-20 21:47:01 +0800
>>>    Commit:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
>>>    CommitDate: 2025-12-07 06:08:07 +0900
>>>
>>>        fbdev: bitblit: bound-check glyph index in bit_putcs*
>>>
>>>        commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream.
>>>
>>>        bit_putcs_aligned()/unaligned() derived the glyph pointer from
>>> the
>>>        character value masked by 0xff/0x1ff, which may exceed the
>>> actual font's
>>>        glyph count and read past the end of the built-in font array.
>>>        Clamp the index to the actual glyph count before computing the
>>> address.
>>>
>>>        This fixes a global out-of-bounds read reported by syzbot.
>>>
>>>        Reported-by:
>>> syzbot+793cf822d213be1a74f2@...kaller.appspotmail.com
>>>        Closes: https://syzkaller.appspot.com/bug?
>>> extid=793cf822d213be1a74f2
>>>        Tested-by: syzbot+793cf822d213be1a74f2@...kaller.appspotmail.com
>>>        Signed-off-by: Junjie Cao <junjie.cao@...el.com>
>>>        Reviewed-by: Thomas Zimmermann <tzimmermann@...e.de>
>>>        Signed-off-by: Helge Deller <deller@....de>
>>>        Cc: stable@...r.kernel.org
>>>        Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
>>>
>>>     drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
>>>     1 file changed, 12 insertions(+), 4 deletions(-)
>>>
>>> The minimal reproducer in cli, after kernel is booted:
>>>
>>>    date >/dev/tty2; chvt 2
>>>
>>> and the date does not appear.
>>>
>>> Thanks,
>>>
>>> #regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b
>>>
>>>> ---
>>>> v1: https://lore.kernel.org/linux-fbdev/5d237d1a-a528-4205-
>>>> a4d8-71709134f1e1@...e.de/
>>>> v1 -> v2:
>>>>   - Fix indentation and add blank line after declarations with
>>>> the .pl helper
>>>>   - No functional changes
>>>>
>>>>   drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
>>>>   1 file changed, 12 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/
>>>> fbdev/core/bitblit.c
>>>> index 9d2e59796c3e..085ffb44c51a 100644
>>>> --- a/drivers/video/fbdev/core/bitblit.c
>>>> +++ b/drivers/video/fbdev/core/bitblit.c
>>>> @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct
>>>> vc_data *vc, struct fb_info *info,
>>>>                        struct fb_image *image, u8 *buf, u8 *dst)
>>>>   {
>>>>       u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
>>>> +    unsigned int charcnt = vc->vc_font.charcount;
>>
>> Perhaps, vc->vc_font.charcount (which is relied upon in the following
>> comparison) is not always set correctly in v5.10.247. At least two
>> commits that set vc_font.charcount are missing from v5.10.247:
>>
>>    a1ac250a82a5 ("fbcon: Avoid using FNTCHARCNT() and hard-coded
>> built-in font charcount")
>>    a5a923038d70 ("fbdev: fbcon: Properly revert changes when
>> vc_resize() failed")
>>
>> Thanks,
> 
> I was just about to report this.
> 
> I found two ways to fix this bug. One is to revert this patch; the other
> is to apply the following 3 patches, which are already present in 5.11
> and later:
> 
> 7a089ec7d77fe7d50f6bb7b178fa25eec9fd822b
>     console: Delete unused con_font_copy() callback implementations
> 
> 4ee573086bd88ff3060dda07873bf755d332e9ba
>     Fonts: Add charcount field to font_desc
> 
> a1ac250a82a5e97db71f14101ff7468291a6aaef
>     fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font
>     charcount
> 
> (Oh, by the way, this same regression also affects 5.4.302, and the same
> 3 patches fix the regression on 5.4 as well, once you manually fix merge
> conflicts. Maybe it would be better to backport other additional commits
> instead of fixing the merge conflicts manually, but since 5.4 is now EOL
> I didn't dig that deep.)
> 
> Once these 3 patches are applied, I wonder if a5a923038d70 now becomes
> necessary for 5.10.y. For what it's worth, it applies fine and the
> resulting kernel seems to run OK in brief testing.
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ