| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aXT5A6vBSNIry3os@osama>
Date: Sat, 24 Jan 2026 17:53:23 +0100
From: Osama Abdelkader <osama.abdelkader@...il.com>
To: Thomas Zimmermann <tzimmermann@...e.de>
Cc: Zsolt Kajtar <soci@....rulez.org>, Simona Vetter <simona@...ll.ch>,
Helge Deller <deller@....de>, linux-fbdev@...r.kernel.org,
dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
syzbot+7a63ce155648954e749b@...kaller.appspotmail.com
Subject: Re: [PATCH] fbdev: sys_fillrect: Add bounds checking to prevent
vmalloc-out-of-bounds
On Mon, Jan 19, 2026 at 08:38:31AM +0100, Thomas Zimmermann wrote:
> Hi,
>
> thanks for the patch.
>
> Am 18.01.26 um 01:18 schrieb Osama Abdelkader:
> > The sys_fillrect function was missing bounds validation, which could lead
> > to vmalloc-out-of-bounds writes when the rectangle coordinates extend
> > beyond the framebuffer's virtual resolution. This was detected by KASAN
> > and reported by syzkaller.
> >
> > Add validation to:
> > 1. Check that width and height are non-zero
> > 2. Verify that dx and dy are within virtual resolution bounds
> > 3. Clip the rectangle dimensions to fit within virtual resolution if needed
>
> This is rather a problem with the caller of the fillrect helper and affects
> all drivers and all implementations of fb_fillrect. Clipping should happen
> in the fbcon functions before invoking ->fb_con.
>
> Best regards
> Thomas
>
> >
> > This follows the same pattern used in other framebuffer drivers like
> > pm2fb_fillrect.
> >
> > Reported-by: syzbot+7a63ce155648954e749b@...kaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=7a63ce155648954e749b
> > Signed-off-by: Osama Abdelkader <osama.abdelkader@...il.com>
> > ---
> > drivers/video/fbdev/core/sysfillrect.c | 21 ++++++++++++++++++++-
> > 1 file changed, 20 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/video/fbdev/core/sysfillrect.c b/drivers/video/fbdev/core/sysfillrect.c
> > index 12eea3e424bb..73fc322ff8fd 100644
> > --- a/drivers/video/fbdev/core/sysfillrect.c
> > +++ b/drivers/video/fbdev/core/sysfillrect.c
> > @@ -7,6 +7,7 @@
> > #include <linux/module.h>
> > #include <linux/fb.h>
> > #include <linux/bitrev.h>
> > +#include <linux/string.h>
> > #include <asm/types.h>
> > #ifdef CONFIG_FB_SYS_REV_PIXELS_IN_BYTE
> > @@ -18,10 +19,28 @@
> > void sys_fillrect(struct fb_info *p, const struct fb_fillrect *rect)
> > {
> > + struct fb_fillrect modded;
> > + int vxres, vyres;
> > +
> > if (!(p->flags & FBINFO_VIRTFB))
> > fb_warn_once(p, "%s: framebuffer is not in virtual address space.\n", __func__);
> > - fb_fillrect(p, rect);
> > + vxres = p->var.xres_virtual;
> > + vyres = p->var.yres_virtual;
> > +
> > + /* Validate and clip rectangle to virtual resolution */
> > + if (!rect->width || !rect->height ||
> > + rect->dx >= vxres || rect->dy >= vyres)
> > + return;
> > +
> > + memcpy(&modded, rect, sizeof(struct fb_fillrect));
> > +
> > + if (modded.dx + modded.width > vxres)
> > + modded.width = vxres - modded.dx;
> > + if (modded.dy + modded.height > vyres)
> > + modded.height = vyres - modded.dy;
> > +
> > + fb_fillrect(p, &modded);
> > }
> > EXPORT_SYMBOL(sys_fillrect);
>
> --
> --
> Thomas Zimmermann
> Graphics Driver Developer
> SUSE Software Solutions Germany GmbH
> Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com
> GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)
>
>
Thanks for the info.
Best regards,
Osama
Powered by blists - more mailing lists