linux/drivers
Tetsuo Handa 033724d686 fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
syzbot is reporting general protection fault in bitfill_aligned() [1]
caused by integer underflow in bit_clear_margins(). The cause of this
problem is when and how do_vc_resize() updates vc->vc_{cols,rows}.

If vc_do_resize() fails (e.g. kzalloc() fails) when var.xres or var.yres
is going to shrink, vc->vc_{cols,rows} will not be updated. This allows
bit_clear_margins() to see info->var.xres < (vc->vc_cols * cw) or
info->var.yres < (vc->vc_rows * ch). Unexpectedly large rw or bh will
try to overrun the __iomem region and causes general protection fault.

Also, vc_resize(vc, 0, 0) does not set vc->vc_{cols,rows} = 0 due to

  new_cols = (cols ? cols : vc->vc_cols);
  new_rows = (lines ? lines : vc->vc_rows);

exception. Since cols and lines are calculated as

  cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres);
  rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
  cols /= vc->vc_font.width;
  rows /= vc->vc_font.height;
  vc_resize(vc, cols, rows);

in fbcon_modechanged(), var.xres < vc->vc_font.width makes cols = 0
and var.yres < vc->vc_font.height makes rows = 0. This means that

  const int fd = open("/dev/fb0", O_ACCMODE);
  struct fb_var_screeninfo var = { };
  ioctl(fd, FBIOGET_VSCREENINFO, &var);
  var.xres = var.yres = 1;
  ioctl(fd, FBIOPUT_VSCREENINFO, &var);

easily reproduces integer underflow bug explained above.

Of course, callers of vc_resize() are not handling vc_do_resize() failure
is bad. But we can't avoid vc_resize(vc, 0, 0) which returns 0. Therefore,
as a band-aid workaround, this patch checks integer underflow in
"struct fbcon_ops"->clear_margins call, assuming that
vc->vc_cols * vc->vc_font.width and vc->vc_rows * vc->vc_font.heigh do not
cause integer overflow.

[1] https://syzkaller.appspot.com/bug?id=a565882df74fa76f10d3a6fec4be31098dbb37c6

Reported-and-tested-by: syzbot <syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200715015102.3814-1-penguin-kernel@I-love.SAKURA.ne.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-23 16:22:25 +02:00
..
accessibility treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
acpi Merge branch 'acpi-fan' 2020-07-03 16:15:31 +02:00
amba ARM: tegra: Replace zero-length array with flexible-array 2020-06-15 23:08:28 -05:00
android binder: fix null deref of proc->context 2020-06-23 07:54:46 +02:00
ata libata-5.8-2020-06-19 2020-06-19 13:09:40 -07:00
atm treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
auxdisplay treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
base regmap: Fixes for v5.8 2020-07-17 09:58:18 -07:00
bcma
block Char/Misc fixes for 5.8-rc6 2020-07-16 11:26:40 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
bus bus: ti-sysc: Do not disable on suspend for no-idle 2020-07-02 13:57:57 -07:00
cdrom Merge branch 'work.sysctl' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-06-10 16:05:54 -07:00
char Char/Misc fixes for 5.8-rc6 2020-07-16 11:26:40 -07:00
clk A couple build fixes for issues exposed this merge window and a fix for 2020-07-15 19:00:12 -07:00
clocksource arm64: arch_timer: Disable the compat vdso for cores affected by ARM64_WORKAROUND_1418040 2020-07-08 21:57:51 +01:00
connector treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
counter counter: 104-quad-8: Add lock guards - filter clock prescaler 2020-06-14 14:46:52 +01:00
cpufreq cpufreq: intel_pstate: Fix active mode setting from command line 2020-07-13 17:55:57 +02:00
cpuidle cpuidle: Rearrange s2idle-specific idle state entry code 2020-06-25 13:52:53 +02:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2020-06-21 10:01:03 -07:00
dax device-dax: add memory via add_memory_driver_managed() 2020-06-04 19:06:23 -07:00
dca
devfreq PM / devfreq: Use lockdep asserts instead of manual checks for locked mutex 2020-05-28 18:02:40 +09:00
dio maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
dma dmaengine fixes for v5.5-rc6 2020-07-15 15:58:11 -07:00
dma-buf dmabuf: use spinlock to access dmabuf->name 2020-07-10 15:39:29 +05:30
edac EDAC/amd64: Read back the scrub rate PCI register on F15h 2020-06-18 20:25:25 +02:00
eisa treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
extcon extcon: arizona: Fix runtime PM imbalance on error 2020-05-29 17:36:02 +09:00
firewire firewire: ohci: Replace zero-length array with flexible-array 2020-06-15 23:08:31 -05:00
firmware arm64 fixes for -rc6 2020-07-17 15:27:52 -07:00
fpga FPGA Manager fixes for 5.8-rc1 2020-06-26 17:26:31 +02:00
fsi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
gnss treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
gpio gpio fixes for v5.8-rc3 2020-06-26 23:53:25 +02:00
gpu Merge tag 'amd-drm-fixes-5.8-2020-07-15' of git://people.freedesktop.org/~agd5f/linux into drm-fixes 2020-07-17 13:29:00 +10:00
greybus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid into master 2020-07-17 09:43:13 -07:00
hsi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
hv Drivers: hv: Change flag to write log level in panic msg to false 2020-06-29 10:30:35 +00:00
hwmon hwmon: (drivetemp) Avoid SCT usage on Toshiba DT01ACA family drives 2020-07-18 08:11:44 -07:00
hwspinlock
hwtracing intel_th: Fix a NULL dereference when hub driver is not loaded 2020-07-10 15:12:48 +02:00
i2c i2c: mlxcpld: check correct size of maximum RECV_LEN packet 2020-07-04 08:20:38 +02:00
i3c
ide treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
idle
iio First set of IIO and counter fixes in the 5.8 cycle. 2020-07-08 09:20:50 +02:00
infiniband RDMA/mlx5: Set PD pointers for the error flow unwind 2020-07-08 20:15:59 -03:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2020-07-13 18:31:15 -07:00
interconnect More power management updates for 5.8-rc1 2020-06-10 14:04:39 -07:00
iommu Two fixes for the interrupt subsystem: 2020-07-19 11:53:08 -07:00
ipack treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
irqchip Bugfixes and a one-liner patch to silence sparse. 2020-07-06 12:48:04 -07:00
isdn treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
leds LEDs pull request for 5.8-rc1. 2020-06-04 11:03:45 -07:00
lightnvm for-5.8/block-2020-06-01 2020-06-02 15:29:19 -07:00
macintosh treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
mailbox mailbox: qcom: Add ipq6018 apcs compatible 2020-06-10 22:43:57 -05:00
mcb
md dm: use noio when sending kobject event 2020-07-08 12:50:51 -04:00
media media: omap3isp: remove cacheflush.h 2020-06-26 00:27:37 -07:00
memory Merge branch 'baikal/drivers' into arm/drivers 2020-05-28 14:18:11 +02:00
memstick
message scsi: mptfusion: Don't use GFP_ATOMIC for larger DMA allocations 2020-06-26 22:51:53 -04:00
mfd irqdomain/treewide: Keep firmware node unconditionally allocated 2020-07-14 17:44:42 +02:00
misc mei: bus: don't clean driver pointer 2020-06-29 19:10:51 +02:00
mmc mmc: sdhci-msm: Override DLL_CONFIG only if the valid value is supplied 2020-07-08 15:30:35 +02:00
most
mtd mtd: rawnand: xway: Fix build issue 2020-07-07 21:04:38 +02:00
mux
net mlxsw: pci: Fix use-after-free in case of failed devlink reload 2020-07-10 14:33:34 -07:00
nfc treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ntb NTB: perf: Fix race condition when run with ntb_test 2020-06-05 20:02:09 -04:00
nubus
nvdimm libnvdimm/security: Fix key lookup permissions 2020-07-08 17:08:01 -07:00
nvme nvme: explicitly update mpath disk capacity on revalidation 2020-07-16 16:40:27 +02:00
nvmem
of of: of_mdio: Correct loop scanning logic 2020-06-19 13:39:00 -07:00
opp opp: Increase parsed_static_opps in _of_add_opp_table_v1() 2020-07-16 08:50:54 +05:30
oprofile oprofile: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
parisc
parport treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
pci irqdomain/treewide: Keep firmware node unconditionally allocated 2020-07-14 17:44:42 +02:00
pcmcia treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
perf drivers/perf: Prevent forced unbinding of PMU drivers 2020-07-17 10:51:44 +01:00
phy phy: fixes for 5.8 2020-07-08 18:00:07 +02:00
pinctrl intel-pinctrl for v5.8-2 2020-06-28 01:08:21 +02:00
platform platform/x86: asus-wmi: allow BAT1 battery name 2020-07-15 12:47:04 +03:00
pnp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
power power supply and reset changes for the v5.8 series 2020-06-10 11:28:35 -07:00
powercap Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
pps treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ps3
ptp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
pwm pwm: Add missing "CONFIG_" prefix 2020-06-04 19:09:28 +02:00
rapidio rapidio: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
ras
regulator regulator: rename da903x to da903x-regulator 2020-06-25 15:29:21 +01:00
remoteproc remoteproc updates for v5.8 2020-06-08 13:01:08 -07:00
reset Char/Misc driver patches for 5.8-rc1 2020-06-07 10:59:32 -07:00
rpmsg remoteproc updates for v5.8 2020-06-08 13:01:08 -07:00
rtc RTC for 5.8 2020-06-07 16:11:23 -07:00
s390 vfio-ccw: Fix a build error due to missing include of linux/slab.h 2020-07-03 11:41:31 +02:00
sbus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
scsi scsi: megaraid_sas: Remove undefined ENABLE_IRQ_POLL macro 2020-07-15 16:16:45 -04:00
sfi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
sh
siox
slimbus
soc i.MX fixes for 5.8, round 2: 2020-07-16 22:08:07 +02:00
soundwire soundwire: intel: fix memory leak with devm_kasprintf 2020-06-22 17:15:20 +05:30
spi spi: Fixes for v5.8 2020-07-17 10:24:09 -07:00
spmi
ssb
staging staging: comedi: verify array index is correct before using it 2020-07-10 14:03:00 +02:00
target Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
tc
tee mmap locking API: use coccinelle to convert mmap_sem rwsem call sites 2020-06-09 09:39:14 -07:00
thermal - Fix invalid index array access on int340x_thermal leading to a 2020-07-16 11:08:54 -07:00
thunderbolt thunderbolt: Fix path indices used in USB3 tunnel discovery 2020-06-25 15:45:30 +03:00
tty serial: 8250_mtk: Fix high-speed baud rates clamping 2020-07-21 21:23:18 +02:00
uio uio_pdrv_genirq: fix use without device tree and no interrupt 2020-07-03 10:52:02 +02:00
usb USB-serial fixes for 5.8-rc6 2020-07-16 17:30:59 +02:00
vdpa vdpa: fix typos in the comments for __vdpa_alloc_device() 2020-06-22 12:34:21 -04:00
vfio vfio/pci: Fix SR-IOV VF handling with MMIO blocking 2020-06-25 11:04:23 -06:00
vhost tools/virtio: Add --reset 2020-06-22 12:34:21 -04:00
video fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. 2020-07-23 16:22:25 +02:00
virt virt: vbox: Fix guest capabilities mask check 2020-07-10 13:40:19 +02:00
virtio virtio-mem: add memory via add_memory_driver_managed() 2020-06-22 12:34:21 -04:00
visorbus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
vlynq
vme treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
w1 w1: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
watchdog treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
xen xen: branch for v5.8-rc5 2020-07-11 11:16:46 -07:00
zorro treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Kconfig
Makefile