lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <5bc62c51-308c-483f-a92d-29354f2deeac@suse.de>
Date: Mon, 19 Jan 2026 08:38:31 +0100
From: Thomas Zimmermann <tzimmermann@...e.de>
To: Osama Abdelkader <osama.abdelkader@...il.com>,
 Zsolt Kajtar <soci@....rulez.org>, Simona Vetter <simona@...ll.ch>,
 Helge Deller <deller@....de>, linux-fbdev@...r.kernel.org,
 dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org
Cc: syzbot+7a63ce155648954e749b@...kaller.appspotmail.com
Subject: Re: [PATCH] fbdev: sys_fillrect: Add bounds checking to prevent
 vmalloc-out-of-bounds

Hi,

thanks for the patch.

Am 18.01.26 um 01:18 schrieb Osama Abdelkader:
> The sys_fillrect function was missing bounds validation, which could lead
> to vmalloc-out-of-bounds writes when the rectangle coordinates extend
> beyond the framebuffer's virtual resolution. This was detected by KASAN
> and reported by syzkaller.
>
> Add validation to:
> 1. Check that width and height are non-zero
> 2. Verify that dx and dy are within virtual resolution bounds
> 3. Clip the rectangle dimensions to fit within virtual resolution if needed

This is rather a problem with the caller of the fillrect helper and 
affects all drivers and all implementations of fb_fillrect. Clipping 
should happen in the fbcon functions before invoking ->fb_con.

Best regards
Thomas

>
> This follows the same pattern used in other framebuffer drivers like
> pm2fb_fillrect.
>
> Reported-by: syzbot+7a63ce155648954e749b@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=7a63ce155648954e749b
> Signed-off-by: Osama Abdelkader <osama.abdelkader@...il.com>
> ---
>   drivers/video/fbdev/core/sysfillrect.c | 21 ++++++++++++++++++++-
>   1 file changed, 20 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/core/sysfillrect.c b/drivers/video/fbdev/core/sysfillrect.c
> index 12eea3e424bb..73fc322ff8fd 100644
> --- a/drivers/video/fbdev/core/sysfillrect.c
> +++ b/drivers/video/fbdev/core/sysfillrect.c
> @@ -7,6 +7,7 @@
>   #include <linux/module.h>
>   #include <linux/fb.h>
>   #include <linux/bitrev.h>
> +#include <linux/string.h>
>   #include <asm/types.h>
>   
>   #ifdef CONFIG_FB_SYS_REV_PIXELS_IN_BYTE
> @@ -18,10 +19,28 @@
>   
>   void sys_fillrect(struct fb_info *p, const struct fb_fillrect *rect)
>   {
> +	struct fb_fillrect modded;
> +	int vxres, vyres;
> +
>   	if (!(p->flags & FBINFO_VIRTFB))
>   		fb_warn_once(p, "%s: framebuffer is not in virtual address space.\n", __func__);
>   
> -	fb_fillrect(p, rect);
> +	vxres = p->var.xres_virtual;
> +	vyres = p->var.yres_virtual;
> +
> +	/* Validate and clip rectangle to virtual resolution */
> +	if (!rect->width || !rect->height ||
> +	    rect->dx >= vxres || rect->dy >= vyres)
> +		return;
> +
> +	memcpy(&modded, rect, sizeof(struct fb_fillrect));
> +
> +	if (modded.dx + modded.width > vxres)
> +		modded.width = vxres - modded.dx;
> +	if (modded.dy + modded.height > vyres)
> +		modded.height = vyres - modded.dy;
> +
> +	fb_fillrect(p, &modded);
>   }
>   EXPORT_SYMBOL(sys_fillrect);
>   

-- 
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com
GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ