Hi Helge,

On Thu, Jun 30, 2022 at 9:38 PM Geert Uytterhoeven [off-list ref] wrote:

On Thu, Jun 30, 2022 at 9:17 PM Helge Deller [off-list ref] wrote:

quoted

On 6/30/22 21:11, Geert Uytterhoeven wrote:

quoted

On Wed, Jun 29, 2022 at 10:00 PM Helge Deller [off-list ref] wrote:

quoted

Prevent that drivers configure a virtual screen resolution smaller than
the physical screen resolution.  This is important, because otherwise we
may access memory outside of the graphics memory area.

Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v5.4+

Thanks for your patch!

quoted

--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c

@@ -1006,6 +1006,12 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var)
        if (var->xres < 8 || var->yres < 8)
                return -EINVAL;

+       /* make sure virtual resolution >= physical resolution */
+       if (WARN_ON(var->xres_virtual < var->xres))
+               var->xres_virtual = var->xres;
+       if (WARN_ON(var->yres_virtual < var->yres))
+               var->yres_virtual = var->yres;

This should be moved below the call to info->fbops->fb_check_var(),
so the WARN_ON() catches buggy fbdev drivers, not userspace fuzzers.

Yes, makes sense.

And print the name of the frame buffer device driver, so people know
who to blame.

Or better, do not continue, but return with a failure:

    if (WARN(var->xres_virtual < var->xres || var->yres_virtual < var->yres,
        "%ps for %s is broken\n", info->fbops->fb_check_var, info->fix.id)
            return -EINVAL;

Gr{oetje,eeting}s,

                        Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds