[PATCH v2] fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds

, causing out-of-bounds writes. Reported-by: syzbot+48b0652a95834717f...@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=48b0652a95834717f190 Suggested-by: Helge Deller Tested-by: syzbot+48b0652a95834717f...@syzkaller.appspotmail.com Signed-off-by: Albin Babu Varghese

Re: [PATCH] fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds

Hi Helge, I tested your suggestions and they seem to work well. > Do you know if this affects the selection? > If so, would modifying (reducing/shortening) the selection maybe fix it? The syzkaller reproducer uses really weird values where xs > xe and ys > ye (xs=0xa00, xe=0x101, ys=0xc7e, ye=0x1

Re: [PATCH] fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds

Hi Helge, Thanks for the review. > I wonder if the image.height value should be capped in this case, > instead of not rendering any chars at all? > Something like (untested!): > > + if (image.dy >= info->var.yres) > + return; > + image.height = min(image.height, info->var.yr

[PATCH] fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds

...@syzkaller.appspotmail.com Signed-off-by: Albin Babu Varghese --- drivers/video/fbdev/core/bitblit.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c index f9475c14f733..4c732284384a 100644 --- a/drivers/video/fbdev