diff options
| author | Peilin Ye <yepeilin.cs@gmail.com> | 2020-09-24 09:43:48 -0400 |
|---|---|---|
| committer | Daniel Vetter <daniel.vetter@ffwll.ch> | 2020-09-25 10:29:22 +0200 |
| commit | 5af08640795b2b9a940c9266c0260455377ae262 (patch) | |
| tree | 5a91488b8c1ddd580e40f4cc56b725a72e68e537 /drivers/video/fbdev/ffb.c | |
| parent | 6735b4632def0640dbdf4eb9f99816aca18c4f16 (diff) | |
| download | linux-5af08640795b2b9a940c9266c0260455377ae262.tar.bz2 | |
fbcon: Fix global-out-of-bounds read in fbcon_get_font()
fbcon_get_font() is reading out-of-bounds. A malicious user may resize
`vc->vc_font.height` to a large value, causing fbcon_get_font() to
read out of `fontdata`.
fbcon_get_font() handles both built-in and user-provided fonts.
Fortunately, recently we have added FONT_EXTRA_WORDS support for built-in
fonts, so fix it by adding range checks using FNTSIZE().
This patch depends on patch "fbdev, newport_con: Move FONT_EXTRA_WORDS
macros into linux/font.h", and patch "Fonts: Support FONT_EXTRA_WORDS
macros for built-in fonts".
Cc: stable@vger.kernel.org
Reported-and-tested-by: syzbot+29d4ed7f3bdedf2aa2fd@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd
Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/b34544687a1a09d6de630659eb7a773f4953238b.1600953813.git.yepeilin.cs@gmail.com
Diffstat (limited to 'drivers/video/fbdev/ffb.c')
0 files changed, 0 insertions, 0 deletions