Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*
Woody Suwalski wrote: Vitaly Chikunov wrote: Dear linux-fbdev, stable, On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote: bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot. Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 Tested-by: [email protected] Signed-off-by: Junjie Cao This commit is applied to v5.10.247 and causes a regression: when switching VT with ctrl-alt-f2 the screen is blank or completely filled with angle characters, then new text is not appearing (or not visible). This commit is found with git bisect from v5.10.246 to v5.10.247: 0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit commit 0998a6cb232674408a03e8561dc15aa266b2f53b Author: Junjie Cao AuthorDate: 2025-10-20 21:47:01 +0800 Commit: Greg Kroah-Hartman CommitDate: 2025-12-07 06:08:07 +0900 fbdev: bitblit: bound-check glyph index in bit_putcs* commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream. bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot. Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 Tested-by: [email protected] Signed-off-by: Junjie Cao Reviewed-by: Thomas Zimmermann Signed-off-by: Helge Deller Cc: [email protected] Signed-off-by: Greg Kroah-Hartman drivers/video/fbdev/core/bitblit.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) The minimal reproducer in cli, after kernel is booted: date >/dev/tty2; chvt 2 and the date does not appear. Thanks, #regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b --- v1: https://lore.kernel.org/linux-fbdev/[email protected]/ v1 -> v2: - Fix indentation and add blank line after declarations with the .pl helper - No functional changes drivers/video/fbdev/core/bitblit.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c index 9d2e59796c3e..085ffb44c51a 100644 --- a/drivers/video/fbdev/core/bitblit.c +++ b/drivers/video/fbdev/core/bitblit.c @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info, struct fb_image *image, u8 *buf, u8 *dst) { u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; + unsigned int charcnt = vc->vc_font.charcount; u32 idx = vc->vc_font.width >> 3; u8 *src; while (cnt--) { - src = vc->vc_font.data + (scr_readw(s++)& - charmask)*cellsize; + u16 ch = scr_readw(s++) & charmask; + + if (ch >= charcnt) + ch = 0; + src = vc->vc_font.data + (unsigned int)ch * cellsize; if (attr) { update_attr(buf, src, attr, vc); @@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(struct vc_data *vc, u8 *dst) { u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; + unsigned int charcnt = vc->vc_font.charcount; u32 shift_low = 0, mod = vc->vc_font.width % 8; u32 shift_high = 8; u32 idx = vc->vc_font.width >> 3; u8 *src; while (cnt--) { - src = vc->vc_font.data + (scr_readw(s++)& - charmask)*cellsize; + u16 ch = scr_readw(s++) & charmask; + + if (ch >= charcnt) + ch = 0; + src = vc->vc_font.data + (unsigned int)ch * cellsize; if (attr) { update_attr(buf, src, attr, vc); -- 2.48.1 I have done the same bisecting work, too bad I did not notice Vitaly's work earlier :-( There is a "cheap" workaround for systems before 5.11, (not addressing the root issue but) working: diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c index 7c2fc9f..c5a1a9d 100644 --- a/drivers/video/fbdev/core/bitblit.c +++ b/drivers/video/fbdev/core/bitblit.c @@ -86,7 +86,7 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info, while (cnt--) { u16 ch = scr_readw(s++) & charmask; - if (ch >= charcnt) + if (charcn
Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*
Vitaly Chikunov wrote: Dear linux-fbdev, stable, On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote: bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot. Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 Tested-by: [email protected] Signed-off-by: Junjie Cao This commit is applied to v5.10.247 and causes a regression: when switching VT with ctrl-alt-f2 the screen is blank or completely filled with angle characters, then new text is not appearing (or not visible). This commit is found with git bisect from v5.10.246 to v5.10.247: 0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit commit 0998a6cb232674408a03e8561dc15aa266b2f53b Author: Junjie Cao AuthorDate: 2025-10-20 21:47:01 +0800 Commit: Greg Kroah-Hartman CommitDate: 2025-12-07 06:08:07 +0900 fbdev: bitblit: bound-check glyph index in bit_putcs* commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream. bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot. Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 Tested-by: [email protected] Signed-off-by: Junjie Cao Reviewed-by: Thomas Zimmermann Signed-off-by: Helge Deller Cc: [email protected] Signed-off-by: Greg Kroah-Hartman drivers/video/fbdev/core/bitblit.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) The minimal reproducer in cli, after kernel is booted: date >/dev/tty2; chvt 2 and the date does not appear. Thanks, #regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b --- v1: https://lore.kernel.org/linux-fbdev/[email protected]/ v1 -> v2: - Fix indentation and add blank line after declarations with the .pl helper - No functional changes drivers/video/fbdev/core/bitblit.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c index 9d2e59796c3e..085ffb44c51a 100644 --- a/drivers/video/fbdev/core/bitblit.c +++ b/drivers/video/fbdev/core/bitblit.c @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info, struct fb_image *image, u8 *buf, u8 *dst) { u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; + unsigned int charcnt = vc->vc_font.charcount; u32 idx = vc->vc_font.width >> 3; u8 *src; while (cnt--) { - src = vc->vc_font.data + (scr_readw(s++)& - charmask)*cellsize; + u16 ch = scr_readw(s++) & charmask; + + if (ch >= charcnt) + ch = 0; + src = vc->vc_font.data + (unsigned int)ch * cellsize; if (attr) { update_attr(buf, src, attr, vc); @@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(struct vc_data *vc, u8 *dst) { u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; + unsigned int charcnt = vc->vc_font.charcount; u32 shift_low = 0, mod = vc->vc_font.width % 8; u32 shift_high = 8; u32 idx = vc->vc_font.width >> 3; u8 *src; while (cnt--) { - src = vc->vc_font.data + (scr_readw(s++)& - charmask)*cellsize; + u16 ch = scr_readw(s++) & charmask; + + if (ch >= charcnt) + ch = 0; + src = vc->vc_font.data + (unsigned int)ch * cellsize; if (attr) { update_attr(buf, src, attr, vc); -- 2.48.1 I have done the same bisecting work, too bad I did not notice Vitaly's work earlier :-( There is a "cheap" workaround for systems before 5.11, (not addressing the root issue but) working: diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c index 7c2fc9f..c5a1a9d 100644 --- a/drivers/video/fbdev/core/bitblit.c +++ b/drivers/video/fbdev/core/bitblit.c @@ -86,7 +86,7 @@ static inline void bit_putcs_aligned(struct vc_data *vc, s
Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*
[Top posting to make this easy processable] TWIMC, Ben (now CCed) meanwhile reported the problem as well: https://lore.kernel.org/all/[email protected]/ There he wrote """ This can be fixed by backporting the following commits from 5.11: 7a089ec7d77f console: Delete unused con_font_copy() callback implementations 259a252c1f4e console: Delete dummy con_font_set() and con_font_default() callback implementations 4ee573086bd8 Fonts: Add charcount field to font_desc 4497364e5f61 parisc/sticore: Avoid hard-coding built-in font charcount a1ac250a82a5 fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font charcount These all apply without fuzz and builds cleanly for x86_64 and parisc64. """ Ciao, Thorsten On 12/27/25 03:04, Barry K. Nathan wrote: > On 12/26/25 4:21 AM, Vitaly Chikunov wrote: >> Dear linux-fbdev, stable, >> >> On Fri, Dec 26, 2025 at 01:29:13AM +0300, Vitaly Chikunov wrote: >>> >>> On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote: bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot. Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 Tested-by: [email protected] Signed-off-by: Junjie Cao >>> >>> This commit is applied to v5.10.247 and causes a regression: when >>> switching VT with ctrl-alt-f2 the screen is blank or completely filled >>> with angle characters, then new text is not appearing (or not visible). >>> >>> This commit is found with git bisect from v5.10.246 to v5.10.247: >>> >>> 0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit >>> commit 0998a6cb232674408a03e8561dc15aa266b2f53b >>> Author: Junjie Cao >>> AuthorDate: 2025-10-20 21:47:01 +0800 >>> Commit: Greg Kroah-Hartman >>> CommitDate: 2025-12-07 06:08:07 +0900 >>> >>> fbdev: bitblit: bound-check glyph index in bit_putcs* >>> >>> commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream. >>> >>> bit_putcs_aligned()/unaligned() derived the glyph pointer from >>> the >>> character value masked by 0xff/0x1ff, which may exceed the >>> actual font's >>> glyph count and read past the end of the built-in font array. >>> Clamp the index to the actual glyph count before computing the >>> address. >>> >>> This fixes a global out-of-bounds read reported by syzbot. >>> >>> Reported-by: >>> [email protected] >>> Closes: https://syzkaller.appspot.com/bug? >>> extid=793cf822d213be1a74f2 >>> Tested-by: [email protected] >>> Signed-off-by: Junjie Cao >>> Reviewed-by: Thomas Zimmermann >>> Signed-off-by: Helge Deller >>> Cc: [email protected] >>> Signed-off-by: Greg Kroah-Hartman >>> >>> drivers/video/fbdev/core/bitblit.c | 16 >>> 1 file changed, 12 insertions(+), 4 deletions(-) >>> >>> The minimal reproducer in cli, after kernel is booted: >>> >>> date >/dev/tty2; chvt 2 >>> >>> and the date does not appear. >>> >>> Thanks, >>> >>> #regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b >>> --- v1: https://lore.kernel.org/linux-fbdev/5d237d1a-a528-4205- [email protected]/ v1 -> v2: - Fix indentation and add blank line after declarations with the .pl helper - No functional changes drivers/video/fbdev/core/bitblit.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/ fbdev/core/bitblit.c index 9d2e59796c3e..085ffb44c51a 100644 --- a/drivers/video/fbdev/core/bitblit.c +++ b/drivers/video/fbdev/core/bitblit.c @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info, struct fb_image *image, u8 *buf, u8 *dst) { u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; + unsigned int charcnt = vc->vc_font.charcount; >> >> Perhaps, vc->vc_font.charcount (which is relied upon in the following >> comparison) is not always set correctly in v5.10.247. At least two >> commits that set vc_font.charcount are missing from v5.10.247: >> >> a1ac250a82a5 ("fbcon: Avoid using FNTCHARCNT() and hard-coded >> built-in font charcount") >> a5a923038d70 ("fbdev: fbcon: Properly revert changes when >> vc_resize() failed") >> >> Thanks, > > I was just about to report this. > > I found two ways to fix this bug. One is to rev
Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*
On 12/26/25 4:21 AM, Vitaly Chikunov wrote: Dear linux-fbdev, stable, On Fri, Dec 26, 2025 at 01:29:13AM +0300, Vitaly Chikunov wrote: On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote: bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot. Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 Tested-by: [email protected] Signed-off-by: Junjie Cao This commit is applied to v5.10.247 and causes a regression: when switching VT with ctrl-alt-f2 the screen is blank or completely filled with angle characters, then new text is not appearing (or not visible). This commit is found with git bisect from v5.10.246 to v5.10.247: 0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit commit 0998a6cb232674408a03e8561dc15aa266b2f53b Author: Junjie Cao AuthorDate: 2025-10-20 21:47:01 +0800 Commit: Greg Kroah-Hartman CommitDate: 2025-12-07 06:08:07 +0900 fbdev: bitblit: bound-check glyph index in bit_putcs* commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream. bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot. Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 Tested-by: [email protected] Signed-off-by: Junjie Cao Reviewed-by: Thomas Zimmermann Signed-off-by: Helge Deller Cc: [email protected] Signed-off-by: Greg Kroah-Hartman drivers/video/fbdev/core/bitblit.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) The minimal reproducer in cli, after kernel is booted: date >/dev/tty2; chvt 2 and the date does not appear. Thanks, #regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b --- v1: https://lore.kernel.org/linux-fbdev/[email protected]/ v1 -> v2: - Fix indentation and add blank line after declarations with the .pl helper - No functional changes drivers/video/fbdev/core/bitblit.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c index 9d2e59796c3e..085ffb44c51a 100644 --- a/drivers/video/fbdev/core/bitblit.c +++ b/drivers/video/fbdev/core/bitblit.c @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info, struct fb_image *image, u8 *buf, u8 *dst) { u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; + unsigned int charcnt = vc->vc_font.charcount; Perhaps, vc->vc_font.charcount (which is relied upon in the following comparison) is not always set correctly in v5.10.247. At least two commits that set vc_font.charcount are missing from v5.10.247: a1ac250a82a5 ("fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font charcount") a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed") Thanks, I was just about to report this. I found two ways to fix this bug. One is to revert this patch; the other is to apply the following 3 patches, which are already present in 5.11 and later: 7a089ec7d77fe7d50f6bb7b178fa25eec9fd822b console: Delete unused con_font_copy() callback implementations 4ee573086bd88ff3060dda07873bf755d332e9ba Fonts: Add charcount field to font_desc a1ac250a82a5e97db71f14101ff7468291a6aaef fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font charcount (Oh, by the way, this same regression also affects 5.4.302, and the same 3 patches fix the regression on 5.4 as well, once you manually fix merge conflicts. Maybe it would be better to backport other additional commits instead of fixing the merge conflicts manually, but since 5.4 is now EOL I didn't dig that deep.) Once these 3 patches are applied, I wonder if a5a923038d70 now becomes necessary for 5.10.y. For what it's worth, it applies fine and the resulting kernel seems to run OK in brief testing. -- -Barry K. Nathan
Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*
Dear linux-fbdev, stable, On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote: > bit_putcs_aligned()/unaligned() derived the glyph pointer from the > character value masked by 0xff/0x1ff, which may exceed the actual font's > glyph count and read past the end of the built-in font array. > Clamp the index to the actual glyph count before computing the address. > > This fixes a global out-of-bounds read reported by syzbot. > > Reported-by: [email protected] > Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 > Tested-by: [email protected] > Signed-off-by: Junjie Cao This commit is applied to v5.10.247 and causes a regression: when switching VT with ctrl-alt-f2 the screen is blank or completely filled with angle characters, then new text is not appearing (or not visible). This commit is found with git bisect from v5.10.246 to v5.10.247: 0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit commit 0998a6cb232674408a03e8561dc15aa266b2f53b Author: Junjie Cao AuthorDate: 2025-10-20 21:47:01 +0800 Commit: Greg Kroah-Hartman CommitDate: 2025-12-07 06:08:07 +0900 fbdev: bitblit: bound-check glyph index in bit_putcs* commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream. bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot. Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 Tested-by: [email protected] Signed-off-by: Junjie Cao Reviewed-by: Thomas Zimmermann Signed-off-by: Helge Deller Cc: [email protected] Signed-off-by: Greg Kroah-Hartman drivers/video/fbdev/core/bitblit.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) The minimal reproducer in cli, after kernel is booted: date >/dev/tty2; chvt 2 and the date does not appear. Thanks, #regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b > --- > v1: > https://lore.kernel.org/linux-fbdev/[email protected]/ > v1 -> v2: > - Fix indentation and add blank line after declarations with the .pl helper > - No functional changes > > drivers/video/fbdev/core/bitblit.c | 16 > 1 file changed, 12 insertions(+), 4 deletions(-) > > diff --git a/drivers/video/fbdev/core/bitblit.c > b/drivers/video/fbdev/core/bitblit.c > index 9d2e59796c3e..085ffb44c51a 100644 > --- a/drivers/video/fbdev/core/bitblit.c > +++ b/drivers/video/fbdev/core/bitblit.c > @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct vc_data *vc, > struct fb_info *info, >struct fb_image *image, u8 *buf, u8 *dst) > { > u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; > + unsigned int charcnt = vc->vc_font.charcount; > u32 idx = vc->vc_font.width >> 3; > u8 *src; > > while (cnt--) { > - src = vc->vc_font.data + (scr_readw(s++)& > - charmask)*cellsize; > + u16 ch = scr_readw(s++) & charmask; > + > + if (ch >= charcnt) > + ch = 0; > + src = vc->vc_font.data + (unsigned int)ch * cellsize; > > if (attr) { > update_attr(buf, src, attr, vc); > @@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(struct vc_data > *vc, > u8 *dst) > { > u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; > + unsigned int charcnt = vc->vc_font.charcount; > u32 shift_low = 0, mod = vc->vc_font.width % 8; > u32 shift_high = 8; > u32 idx = vc->vc_font.width >> 3; > u8 *src; > > while (cnt--) { > - src = vc->vc_font.data + (scr_readw(s++)& > - charmask)*cellsize; > + u16 ch = scr_readw(s++) & charmask; > + > + if (ch >= charcnt) > + ch = 0; > + src = vc->vc_font.data + (unsigned int)ch * cellsize; > > if (attr) { > update_attr(buf, src, attr, vc); > -- > 2.48.1 >
Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*
Dear linux-fbdev, stable, On Fri, Dec 26, 2025 at 01:29:13AM +0300, Vitaly Chikunov wrote: > > On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote: > > bit_putcs_aligned()/unaligned() derived the glyph pointer from the > > character value masked by 0xff/0x1ff, which may exceed the actual font's > > glyph count and read past the end of the built-in font array. > > Clamp the index to the actual glyph count before computing the address. > > > > This fixes a global out-of-bounds read reported by syzbot. > > > > Reported-by: [email protected] > > Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 > > Tested-by: [email protected] > > Signed-off-by: Junjie Cao > > This commit is applied to v5.10.247 and causes a regression: when > switching VT with ctrl-alt-f2 the screen is blank or completely filled > with angle characters, then new text is not appearing (or not visible). > > This commit is found with git bisect from v5.10.246 to v5.10.247: > > 0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit > commit 0998a6cb232674408a03e8561dc15aa266b2f53b > Author: Junjie Cao > AuthorDate: 2025-10-20 21:47:01 +0800 > Commit: Greg Kroah-Hartman > CommitDate: 2025-12-07 06:08:07 +0900 > > fbdev: bitblit: bound-check glyph index in bit_putcs* > > commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream. > > bit_putcs_aligned()/unaligned() derived the glyph pointer from the > character value masked by 0xff/0x1ff, which may exceed the actual font's > glyph count and read past the end of the built-in font array. > Clamp the index to the actual glyph count before computing the address. > > This fixes a global out-of-bounds read reported by syzbot. > > Reported-by: [email protected] > Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 > Tested-by: [email protected] > Signed-off-by: Junjie Cao > Reviewed-by: Thomas Zimmermann > Signed-off-by: Helge Deller > Cc: [email protected] > Signed-off-by: Greg Kroah-Hartman > >drivers/video/fbdev/core/bitblit.c | 16 >1 file changed, 12 insertions(+), 4 deletions(-) > > The minimal reproducer in cli, after kernel is booted: > > date >/dev/tty2; chvt 2 > > and the date does not appear. > > Thanks, > > #regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b > > > --- > > v1: > > https://lore.kernel.org/linux-fbdev/[email protected]/ > > v1 -> v2: > > - Fix indentation and add blank line after declarations with the .pl helper > > - No functional changes > > > > drivers/video/fbdev/core/bitblit.c | 16 > > 1 file changed, 12 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/video/fbdev/core/bitblit.c > > b/drivers/video/fbdev/core/bitblit.c > > index 9d2e59796c3e..085ffb44c51a 100644 > > --- a/drivers/video/fbdev/core/bitblit.c > > +++ b/drivers/video/fbdev/core/bitblit.c > > @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct vc_data > > *vc, struct fb_info *info, > > struct fb_image *image, u8 *buf, u8 *dst) > > { > > u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; > > + unsigned int charcnt = vc->vc_font.charcount; Perhaps, vc->vc_font.charcount (which is relied upon in the following comparison) is not always set correctly in v5.10.247. At least two commits that set vc_font.charcount are missing from v5.10.247: a1ac250a82a5 ("fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font charcount") a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed") Thanks, > > u32 idx = vc->vc_font.width >> 3; > > u8 *src; > > > > while (cnt--) { > > - src = vc->vc_font.data + (scr_readw(s++)& > > - charmask)*cellsize; > > + u16 ch = scr_readw(s++) & charmask; > > + > > + if (ch >= charcnt) > > + ch = 0; > > + src = vc->vc_font.data + (unsigned int)ch * cellsize; > > > > if (attr) { > > update_attr(buf, src, attr, vc); > > @@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(struct vc_data > > *vc, > >u8 *dst) > > { > > u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; > > + unsigned int charcnt = vc->vc_font.charcount; > > u32 shift_low = 0, mod = vc->vc_font.width % 8; > > u32 shift_high = 8; > > u32 idx = vc->vc_font.width >> 3; > > u8 *src; > > > > while (cnt--) { > > - src = vc->vc_font.data + (scr_readw(s++)& > > - charmask)*cellsize; > > + u16 ch = scr_readw(s++) & charmask; > > + > > + if (ch >= charcnt) > >
Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*
On 10/20/25 16:29, Thomas Zimmermann wrote: Hi Am 20.10.25 um 15:47 schrieb Junjie Cao: bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot. Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 Tested-by: [email protected] Signed-off-by: Junjie Cao Reviewed-by: Thomas Zimmermann ... v1: https://lore.kernel.org/linux-fbdev/[email protected]/ v1 -> v2: - Fix indentation and add blank line after declarations with the .pl helper - No functional changes drivers/video/fbdev/core/bitblit.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) applied. Thanks! Helge
Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs*
Hi Am 20.10.25 um 15:47 schrieb Junjie Cao: bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot. Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 Tested-by: [email protected] Signed-off-by: Junjie Cao Reviewed-by: Thomas Zimmermann Thanks for fixing the bug. Best regards Thomas --- v1: https://lore.kernel.org/linux-fbdev/[email protected]/ v1 -> v2: - Fix indentation and add blank line after declarations with the .pl helper - No functional changes drivers/video/fbdev/core/bitblit.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c index 9d2e59796c3e..085ffb44c51a 100644 --- a/drivers/video/fbdev/core/bitblit.c +++ b/drivers/video/fbdev/core/bitblit.c @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info, struct fb_image *image, u8 *buf, u8 *dst) { u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; + unsigned int charcnt = vc->vc_font.charcount; u32 idx = vc->vc_font.width >> 3; u8 *src; while (cnt--) { - src = vc->vc_font.data + (scr_readw(s++)& - charmask)*cellsize; + u16 ch = scr_readw(s++) & charmask; + + if (ch >= charcnt) + ch = 0; + src = vc->vc_font.data + (unsigned int)ch * cellsize; if (attr) { update_attr(buf, src, attr, vc); @@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(struct vc_data *vc, u8 *dst) { u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; + unsigned int charcnt = vc->vc_font.charcount; u32 shift_low = 0, mod = vc->vc_font.width % 8; u32 shift_high = 8; u32 idx = vc->vc_font.width >> 3; u8 *src; while (cnt--) { - src = vc->vc_font.data + (scr_readw(s++)& - charmask)*cellsize; + u16 ch = scr_readw(s++) & charmask; + + if (ch >= charcnt) + ch = 0; + src = vc->vc_font.data + (unsigned int)ch * cellsize; if (attr) { update_attr(buf, src, attr, vc); -- -- Thomas Zimmermann Graphics Driver Developer SUSE Software Solutions Germany GmbH Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman HRB 36809 (AG Nuernberg)
