linux/drivers/video/fbdev
Peilin Ye 5af0864079 fbcon: Fix global-out-of-bounds read in fbcon_get_font()
fbcon_get_font() is reading out-of-bounds. A malicious user may resize
`vc->vc_font.height` to a large value, causing fbcon_get_font() to
read out of `fontdata`.

fbcon_get_font() handles both built-in and user-provided fonts.
Fortunately, recently we have added FONT_EXTRA_WORDS support for built-in
fonts, so fix it by adding range checks using FNTSIZE().

This patch depends on patch "fbdev, newport_con: Move FONT_EXTRA_WORDS
macros into linux/font.h", and patch "Fonts: Support FONT_EXTRA_WORDS
macros for built-in fonts".

Cc: stable@vger.kernel.org
Reported-and-tested-by: syzbot+29d4ed7f3bdedf2aa2fd@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd
Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/b34544687a1a09d6de630659eb7a773f4953238b.1600953813.git.yepeilin.cs@gmail.com
2020-09-25 10:29:22 +02:00
..
aty video: fbdev: Use IS_BUILTIN 2020-06-01 15:15:24 +02:00
core fbcon: Fix global-out-of-bounds read in fbcon_get_font() 2020-09-25 10:29:22 +02:00
geode treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
i810 video: fbdev: i810: use true,false for bool variables 2020-05-06 19:29:10 +02:00
intelfb drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
kyro video: fbdev: kyrofb: remove set but not used variable 'ulScaleRight' 2020-03-02 16:32:11 +01:00
matrox treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
mb862xx video: fbdev: mb862xx: remove set but not used variable 'mdr' 2020-04-08 12:09:15 +02:00
mbx drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
mmp video: Replace zero-length array with flexible-array member 2020-03-02 16:32:17 +01:00
nvidia video: fbdev: Use IS_BUILTIN 2020-06-01 15:15:24 +02:00
omap video: fbdev: Use IS_BUILTIN 2020-06-01 15:15:24 +02:00
omap2 video: fbdev: Replace HTTP links with HTTPS ones 2020-07-20 11:47:29 +02:00
riva drm next for 5.9-rc1 2020-08-05 19:50:06 -07:00
savage video: fbdev: savage: fix memory leak on error handling path in probe 2020-07-10 16:17:23 +02:00
sis video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
vermilion remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
via fbdev: via: fix -Wextra build warning and format warning 2020-03-20 14:29:12 +01:00
68328fb.c video/fbdev/68328fb: Remove dead code 2020-01-03 14:27:43 +01:00
acornfb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
acornfb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
amifb.c video: fbdev: amifb: add FIXMEs about {put,get}_user() failures 2020-07-10 16:17:20 +02:00
arcfb.c video: fbdev: arcfb: add missed free_irq and fix the order of request_irq 2020-04-17 15:50:13 +02:00
arkfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
asiliantfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
atafb_iplan2p2.c
atafb_iplan2p4.c
atafb_iplan2p8.c
atafb_mfb.c
atafb_utils.h
atafb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
atafb.h
atmel_lcdfb.c video: fbdev: don't print error message on platform_get_irq() failure 2020-04-07 20:10:59 +02:00
au1100fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
au1100fb.h
au1200fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
au1200fb.h
broadsheetfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
bt431.h
bt455.h
bw2.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
c2p_core.h fbdev: c2p: Use BUILD_BUG() instead of custom solution 2020-03-09 11:12:19 +01:00
c2p_iplan2.c
c2p_planar.c
c2p.h
carminefb_regs.h
carminefb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
carminefb.h
cg3.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
cg6.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
cg14.c fbdev: cg14fb: use resource_size 2020-01-15 17:31:50 +01:00
chipsfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
cirrusfb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
clps711x-fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
cobalt_lcdfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
controlfb.c video: fbdev: controlfb: fix build for COMPILE_TEST=y && PPC_PMAC=y && PPC32=n 2020-04-29 21:00:25 +02:00
controlfb.h
cyber2000fb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
cyber2000fb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
da8xx-fb.c fbdev: da8xx-fb: go to proper label on error handling paths in probe 2020-07-10 16:17:28 +02:00
dnfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
edid.h
efifb.c efi: avoid error message when booting under Xen 2020-08-20 06:26:22 +02:00
ep93xx-fb.c video: fbdev: Replace HTTP links with HTTPS ones 2020-07-20 11:47:29 +02:00
ffb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
fm2fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
fsl-diu-fb.c video: fbdev: fsl-diu-fb: mark expected switch fall-throughs 2020-01-03 14:27:48 +01:00
g364fb.c fbdev/g364fb: Fix build failure 2020-02-19 10:58:22 -08:00
gbefb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
goldfishfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
grvga.c video: fbdev: Replace HTTP links with HTTPS ones 2020-07-20 11:47:29 +02:00
gxt4500.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
hecubafb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
hgafb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
hitfb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
hpfb.c maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
hyperv_fb.c Linux 5.6-rc2 2020-02-17 10:34:34 +01:00
i740_reg.h
i740fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
imsttfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
imxfb.c video: fbdev: imxfb: ensure balanced regulator usage 2020-04-17 15:50:07 +02:00
Kconfig drm next for 5.9-rc1 2020-08-05 19:50:06 -07:00
leo.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
macfb.c video: fbdev: Replace HTTP links with HTTPS ones 2020-07-20 11:47:29 +02:00
macmodes.c
macmodes.h
Makefile drm next for 5.9-rc1 2020-08-05 19:50:06 -07:00
maxinefb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
metronomefb.c video: fbdev: Replace HTTP links with HTTPS ones 2020-07-20 11:47:29 +02:00
mx3fb.c fbdev: mx3fb: const pointer to ipu_di_signal_cfg 2020-04-12 22:09:35 +02:00
n411.c
neofb.c video: fbdev: neofb: fix memory leak in neo_scan_monitor() 2020-07-10 16:17:24 +02:00
ocfb.c video: ocfb: Use devm_platform_ioremap_resource() in ocfb_probe() 2020-01-03 14:27:49 +01:00
offb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
p9100.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
platinumfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
platinumfb.h
pm2fb.c fbdev: pm[23]fb.c: fix -Wextra build warnings and errors 2020-03-20 14:29:11 +01:00
pm3fb.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
pmag-aa-fb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
pmag-ba-fb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
pmagb-b-fb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
ps3fb.c fbmem: pull fbcon_update_vcs() out of fb_set_var() 2020-08-04 07:37:23 +02:00
pvr2fb.c video: fbdev: convert get_user_pages() --> pin_user_pages() 2020-05-31 22:54:37 +02:00
pxa3xx-gcu.c misc: cleanup minor number definitions in c file into miscdevice.h 2020-03-18 12:27:03 +01:00
pxa3xx-gcu.h
pxa168fb.c video: fbdev: pxa168fb: make pxa168fb_init_mode() return void 2020-05-09 23:09:41 +02:00
pxa168fb.h
pxafb.c video: fbdev: pxafb: Use correct return value for pxafb_probe() 2020-06-01 15:15:23 +02:00
pxafb.h video: pxafb: Remove cpufreq policy notifier 2019-08-26 10:02:02 +02:00
q40fb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
s1d13xxxfb.c fbdev: s1d13xxxfb: add missed unregister_framebuffer in remove 2020-04-17 15:50:12 +02:00
s3c2410fb.c video: fbdev: Use IS_BUILTIN 2020-06-01 15:15:24 +02:00
s3c2410fb.h
s3c-fb.c fbdev: s3c-fb: use devm_platform_ioremap_resource() to simplify code 2020-01-03 14:27:45 +01:00
s3fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
sa1100fb.c video: fbdev: Replace HTTP links with HTTPS ones 2020-07-20 11:47:29 +02:00
sa1100fb.h ARM/fbdev: sa11x0: Switch to use GPIO descriptors 2020-04-17 15:50:11 +02:00
sbuslib.c
sbuslib.h
sh7760fb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
sh_mobile_lcdcfb.c video: fbdev: sh_mobile_lcdcfb: fix sparse warnings about using incorrect types 2020-03-02 16:31:48 +01:00
sh_mobile_lcdcfb.h fbdev/sh_mobile: remove sh_mobile_lcdc_display_notify 2019-06-12 20:28:11 +02:00
simplefb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
skeletonfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
sm501fb.c video: fbdev: sm501fb: convert platform driver to use dev_groups 2019-08-02 13:22:37 +02:00
sm712.h
sm712fb.c fbdev: sm712fb: set error code in probe 2020-07-10 16:17:29 +02:00
smscufx.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
ssd1307fb.c pwm: Convert period and duty cycle to u64 2020-06-17 20:42:11 +02:00
sstfb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
sticore.h
stifb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
sunxvr500.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
sunxvr1000.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
sunxvr2500.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
tcx.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
tdfxfb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
tgafb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
tmiofb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
tridentfb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
udlfb.c video: udlfb: use true,false for bool variables 2020-05-06 19:30:25 +02:00
uvesafb.c video: fbdev: uvesafb: fix "noblank" option handling 2020-06-21 09:58:55 +02:00
valkyriefb.c video: fbdev: valkyriefb.c: fix warning comparing pointer to 0 2020-05-06 21:04:45 +02:00
valkyriefb.h
vesafb.c video: fbdev: vesafb: add missed release_region 2020-04-17 15:50:14 +02:00
vfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
vga16fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
vt8500lcdfb.c video: vt8500lcdfb: fix fallthrough warning 2020-04-17 15:50:08 +02:00
vt8500lcdfb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
vt8623fb.c video: fbdev: vt8623fb: Constify static vga_regsets 2020-07-10 16:17:27 +02:00
w100fb.c video: fbdev: w100fb: Fix a potential double free. 2020-05-06 20:22:25 +02:00
w100fb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
wm8505fb_regs.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
wm8505fb.c video: fbdev: wm8505fb: fix sparse warnings about using incorrect types 2020-03-02 16:32:04 +01:00
wmt_ge_rops.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
wmt_ge_rops.h
xen-fbfront.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
xilinxfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00