linux/drivers/video/fbdev
Tetsuo Handa 033724d686 fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
syzbot is reporting general protection fault in bitfill_aligned() [1]
caused by integer underflow in bit_clear_margins(). The cause of this
problem is when and how do_vc_resize() updates vc->vc_{cols,rows}.

If vc_do_resize() fails (e.g. kzalloc() fails) when var.xres or var.yres
is going to shrink, vc->vc_{cols,rows} will not be updated. This allows
bit_clear_margins() to see info->var.xres < (vc->vc_cols * cw) or
info->var.yres < (vc->vc_rows * ch). Unexpectedly large rw or bh will
try to overrun the __iomem region and causes general protection fault.

Also, vc_resize(vc, 0, 0) does not set vc->vc_{cols,rows} = 0 due to

  new_cols = (cols ? cols : vc->vc_cols);
  new_rows = (lines ? lines : vc->vc_rows);

exception. Since cols and lines are calculated as

  cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres);
  rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
  cols /= vc->vc_font.width;
  rows /= vc->vc_font.height;
  vc_resize(vc, cols, rows);

in fbcon_modechanged(), var.xres < vc->vc_font.width makes cols = 0
and var.yres < vc->vc_font.height makes rows = 0. This means that

  const int fd = open("/dev/fb0", O_ACCMODE);
  struct fb_var_screeninfo var = { };
  ioctl(fd, FBIOGET_VSCREENINFO, &var);
  var.xres = var.yres = 1;
  ioctl(fd, FBIOPUT_VSCREENINFO, &var);

easily reproduces integer underflow bug explained above.

Of course, callers of vc_resize() are not handling vc_do_resize() failure
is bad. But we can't avoid vc_resize(vc, 0, 0) which returns 0. Therefore,
as a band-aid workaround, this patch checks integer underflow in
"struct fbcon_ops"->clear_margins call, assuming that
vc->vc_cols * vc->vc_font.width and vc->vc_rows * vc->vc_font.heigh do not
cause integer overflow.

[1] https://syzkaller.appspot.com/bug?id=a565882df74fa76f10d3a6fec4be31098dbb37c6

Reported-and-tested-by: syzbot <syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200715015102.3814-1-penguin-kernel@I-love.SAKURA.ne.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-23 16:22:25 +02:00
..
aty fbdev: aty: use true, false for bool variables in atyfb_base.c 2020-05-06 19:32:15 +02:00
core fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. 2020-07-23 16:22:25 +02:00
geode treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
i810 video: fbdev: i810: use true,false for bool variables 2020-05-06 19:29:10 +02:00
intelfb drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
kyro video: fbdev: kyrofb: remove set but not used variable 'ulScaleRight' 2020-03-02 16:32:11 +01:00
matrox video: fbdev: matroxfb: remove dead code and set but not used variable 2020-04-08 12:09:10 +02:00
mb862xx video: fbdev: mb862xx: remove set but not used variable 'mdr' 2020-04-08 12:09:15 +02:00
mbx drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
mmp video: Replace zero-length array with flexible-array member 2020-03-02 16:32:17 +01:00
nvidia video: fbdev: nvidia: clean up indentation issues and comment block 2020-01-15 17:31:53 +01:00
omap video: omapfb: Use scnprintf() for avoiding potential buffer overflow 2020-03-20 14:29:04 +01:00
omap2 drm pull for 5.8-rc1 2020-06-02 15:04:15 -07:00
riva video/fbdev/riva: Remove dead code 2020-04-25 17:08:55 +02:00
savage mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
sis video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
vermilion remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
via fbdev: via: fix -Wextra build warning and format warning 2020-03-20 14:29:12 +01:00
68328fb.c video/fbdev/68328fb: Remove dead code 2020-01-03 14:27:43 +01:00
acornfb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
acornfb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
amba-clcd.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
amifb.c amifb: get rid of pointless access_ok() calls 2020-05-29 11:04:56 -04:00
arcfb.c video: fbdev: arcfb: add missed free_irq and fix the order of request_irq 2020-04-17 15:50:13 +02:00
arkfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
asiliantfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
atafb_iplan2p2.c fbdev: atafb: Remove obsolete module support 2019-04-01 17:46:55 +02:00
atafb_iplan2p4.c fbdev: atafb: Remove obsolete module support 2019-04-01 17:46:55 +02:00
atafb_iplan2p8.c fbdev: atafb: Remove obsolete module support 2019-04-01 17:46:55 +02:00
atafb_mfb.c fbdev: atafb: Remove obsolete module support 2019-04-01 17:46:55 +02:00
atafb_utils.h
atafb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
atafb.h
atmel_lcdfb.c video: fbdev: don't print error message on platform_get_irq() failure 2020-04-07 20:10:59 +02:00
au1100fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
au1100fb.h au1100fb: fix DMA API abuse 2019-06-03 16:00:08 +02:00
au1200fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
au1200fb.h
broadsheetfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
bt431.h
bt455.h
bw2.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
c2p_core.h fbdev: c2p: Use BUILD_BUG() instead of custom solution 2020-03-09 11:12:19 +01:00
c2p_iplan2.c
c2p_planar.c
c2p.h
carminefb_regs.h
carminefb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
carminefb.h
cg3.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
cg6.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
cg14.c fbdev: cg14fb: use resource_size 2020-01-15 17:31:50 +01:00
chipsfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
cirrusfb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
clps711x-fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
cobalt_lcdfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
controlfb.c video: fbdev: controlfb: fix build for COMPILE_TEST=y && PPC_PMAC=y && PPC32=n 2020-04-29 21:00:25 +02:00
controlfb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
cyber2000fb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
cyber2000fb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
da8xx-fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
dnfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
edid.h
efifb.c drm-misc-next for v5.6: 2019-12-17 13:57:54 +01:00
ep93xx-fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
fb-puv3.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
ffb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
fm2fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
fsl-diu-fb.c video: fbdev: fsl-diu-fb: mark expected switch fall-throughs 2020-01-03 14:27:48 +01:00
g364fb.c fbdev/g364fb: Fix build failure 2020-02-19 10:58:22 -08:00
gbefb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
goldfishfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
grvga.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
gxt4500.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
hecubafb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
hgafb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
hitfb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
hpfb.c maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
hyperv_fb.c Linux 5.6-rc2 2020-02-17 10:34:34 +01:00
i740_reg.h
i740fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
imsttfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
imxfb.c video: fbdev: imxfb: ensure balanced regulator usage 2020-04-17 15:50:07 +02:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
leo.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
macfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
macmodes.c
macmodes.h
Makefile Main MIPS changes for v5.4: 2019-09-22 09:30:30 -07:00
maxinefb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
metronomefb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
mx3fb.c fbdev: mx3fb: const pointer to ipu_di_signal_cfg 2020-04-12 22:09:35 +02:00
n411.c
neofb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
ocfb.c video: ocfb: Use devm_platform_ioremap_resource() in ocfb_probe() 2020-01-03 14:27:49 +01:00
offb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
p9100.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
platinumfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
platinumfb.h
pm2fb.c fbdev: pm[23]fb.c: fix -Wextra build warnings and errors 2020-03-20 14:29:11 +01:00
pm3fb.c fbdev: pm[23]fb.c: fix -Wextra build warnings and errors 2020-03-20 14:29:11 +01:00
pmag-aa-fb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
pmag-ba-fb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
pmagb-b-fb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
ps3fb.c drivers/powerpc: Replace _ALIGN_UP() by ALIGN() 2020-05-11 23:15:15 +10:00
pvr2fb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
pxa3xx-gcu.c misc: cleanup minor number definitions in c file into miscdevice.h 2020-03-18 12:27:03 +01:00
pxa3xx-gcu.h
pxa168fb.c video: fbdev: pxa168fb: make pxa168fb_init_mode() return void 2020-05-09 23:09:41 +02:00
pxa168fb.h
pxafb.c video: pxafb: Use devm_platform_ioremap_resource() in pxafb_probe() 2020-01-03 14:27:50 +01:00
pxafb.h video: pxafb: Remove cpufreq policy notifier 2019-08-26 10:02:02 +02:00
q40fb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
s1d13xxxfb.c fbdev: s1d13xxxfb: add missed unregister_framebuffer in remove 2020-04-17 15:50:12 +02:00
s3c2410fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
s3c2410fb.h
s3c-fb.c fbdev: s3c-fb: use devm_platform_ioremap_resource() to simplify code 2020-01-03 14:27:45 +01:00
s3fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
sa1100fb.c ARM/fbdev: sa11x0: Switch to use GPIO descriptors 2020-04-17 15:50:11 +02:00
sa1100fb.h ARM/fbdev: sa11x0: Switch to use GPIO descriptors 2020-04-17 15:50:11 +02:00
sbuslib.c fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper() 2018-10-08 12:57:36 +02:00
sbuslib.h
sh7760fb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
sh_mobile_lcdcfb.c video: fbdev: sh_mobile_lcdcfb: fix sparse warnings about using incorrect types 2020-03-02 16:31:48 +01:00
sh_mobile_lcdcfb.h fbdev/sh_mobile: remove sh_mobile_lcdc_display_notify 2019-06-12 20:28:11 +02:00
simplefb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
skeletonfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
sm501fb.c video: fbdev: sm501fb: convert platform driver to use dev_groups 2019-08-02 13:22:37 +02:00
sm712.h fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display 2019-04-01 17:46:59 +02:00
sm712fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
smscufx.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
ssd1307fb.c video: ssd1307fb: Remove redundant forward declaration 2020-04-17 15:50:00 +02:00
sstfb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
sticore.h
stifb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
sunxvr500.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
sunxvr1000.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
sunxvr2500.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
tcx.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
tdfxfb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
tgafb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
tmiofb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
tridentfb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
udlfb.c video: udlfb: use true,false for bool variables 2020-05-06 19:30:25 +02:00
uvesafb.c video: fbdev: uvesafb: fix "noblank" option handling 2020-06-21 09:58:55 +02:00
valkyriefb.c video: fbdev: valkyriefb.c: fix warning comparing pointer to 0 2020-05-06 21:04:45 +02:00
valkyriefb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
vesafb.c video: fbdev: vesafb: add missed release_region 2020-04-17 15:50:14 +02:00
vfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
vga16fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
vt8500lcdfb.c video: vt8500lcdfb: fix fallthrough warning 2020-04-17 15:50:08 +02:00
vt8500lcdfb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
vt8623fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
w100fb.c video: fbdev: w100fb: Fix a potential double free. 2020-05-06 20:22:25 +02:00
w100fb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
wm8505fb_regs.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
wm8505fb.c video: fbdev: wm8505fb: fix sparse warnings about using incorrect types 2020-03-02 16:32:04 +01:00
wmt_ge_rops.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
wmt_ge_rops.h
xen-fbfront.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
xilinxfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00