On Thu, Sep 2, 2021 at 2:02 PM Dongliang Mu <[email protected]> wrote: > > [ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ] > > A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting > or yres setting in struct fb_var_screeninfo will result in a > KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as > the margins are being cleared. The margins are cleared in > chunks and if the xres setting or yres setting is a value of > zero upto the chunk size, the failure will occur. > > Add a margin check to validate xres and yres settings. > > Note that, this patch needs special handling to backport it to linux > kernel 4.19, 4.14, 4.9, 4.4.
I have tested that, this patch can be applied to the branches: linux-4.19.y/linux-4.14.y/linux-4.9.y/linux-4.4.y. > > Signed-off-by: George Kennedy <[email protected]> > Reported-by: [email protected] > Reviewed-by: Dan Carpenter <[email protected]> > Cc: Dhaval Giani <[email protected]> > Signed-off-by: Bartlomiej Zolnierkiewicz <[email protected]> > Link: > https://patchwork.freedesktop.org/patch/msgid/[email protected] > Signed-off-by: Sasha Levin <[email protected]> > --- > drivers/video/fbdev/core/fbmem.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/video/fbdev/core/fbmem.c > b/drivers/video/fbdev/core/fbmem.c > index 84845275dbef..de04c097d67c 100644 > --- a/drivers/video/fbdev/core/fbmem.c > +++ b/drivers/video/fbdev/core/fbmem.c > @@ -991,6 +991,10 @@ fb_set_var(struct fb_info *info, struct > fb_var_screeninfo *var) > goto done; > } > > + /* bitfill_aligned() assumes that it's at least 8x8 */ > + if (var->xres < 8 || var->yres < 8) > + return -EINVAL; > + > ret = info->fbops->fb_check_var(var, info); > > if (ret) > -- > 2.25.1 >
