Thread (29 messages) 29 messages, 7 authors, 2020-09-30

RE: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers

From: David Laight <hidden>
Date: 2020-09-24 14:42:26
Also in: dri-devel, linux-kernel-mentees, lkml 

On Thu, Sep 24, 2020 at 09:38:22AM -0400, Peilin Ye wrote:
quoted
Hi all,

syzbot has reported [1] a global out-of-bounds read issue in
fbcon_get_font(). A malicious user may resize `vc_font.height` to a large
value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in
font data buffers, declared in lib/fonts/font_*.c:
...
quoted
(drivers/video/fbdev/core/fbcon.c)
 	if (font->width <= 8) {
 		j = vc->vc_font.height;
+		if (font->charcount * j > FNTSIZE(fontdata))
+			return -EINVAL;
Can that still go wrong because the multiply wraps?

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help