Re: [PATCH] fbcon: fix integer overflow in fbcon_do_set_font

Mon, 22 Sep 2025 00:53:19 -0700 



Am 12.09.25 um 19:00 schrieb Samasth Norway Ananda:

Fix integer overflow vulnerabilities in fbcon_do_set_font() where font
size calculations could overflow when handling user-controlled font
parameters.

The vulnerabilities occur when:
1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount
    multiplication with user-controlled values that can overflow.
2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
3. This results in smaller allocations than expected, leading to buffer
    overflows during font data copying.

Add explicit overflow checking using check_mul_overflow() and
check_add_overflow() kernel helpers to safety validate all size
calculations before allocation.

Signed-off-by: Samasth Norway Ananda <samasth.norway.ana...@oracle.com>



Fixes: 39b3cffb8cf3 ("fbcon: prevent user font height or width change 
from causing potential out-of-bounds access")

Cc: George Kennedy <george.kenn...@oracle.com>
Cc: stable <sta...@vger.kernel.org>
Cc: syzbot+38a3699c7eaf165b9...@syzkaller.appspotmail.com
Cc: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Cc: Simona Vetter <sim...@ffwll.ch>
Cc: Helge Deller <del...@gmx.de>
Cc: Thomas Zimmermann <tzimmerm...@suse.de>
Cc: "Ville Syrjälä" <ville.syrj...@linux.intel.com>
Cc: Sam Ravnborg <s...@ravnborg.org>
Cc: Qianqiang Liu <qianqiang....@163.com>
Cc: Shixiong Ou <oushixi...@kylinos.cn>
Cc: Kees Cook <k...@kernel.org>
Cc: <sta...@vger.kernel.org> # v5.9+



---
  drivers/video/fbdev/core/fbcon.c | 11 +++++++++--
  1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 55f5731e94c3..a507d05f8fea 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2531,9 +2531,16 @@ static int fbcon_set_font(struct vc_data *vc, const 
struct console_font *font,
        if (fbcon_invalid_charcount(info, charcount))
                return -EINVAL;

  
-	size = CALC_FONTSZ(h, pitch, charcount);

+       /* Check for integer overflow in font size calculation */
+       if (check_mul_overflow(h, pitch, &size) ||
+           check_mul_overflow(size, charcount, &size))
+               return -EINVAL;
+
+       /* Check for overflow in allocation size calculation */
+       if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size))
+               return -EINVAL;

  
-	new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);

+       new_data = kmalloc(size, GFP_USER);

  
  	if (!new_data)

                return -ENOMEM;


--
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
HRB 36809 (AG Nuernberg)
























					Reply via email to