From nobody Tue Dec 2 02:19:44 2025 Received: from mail-pj1-f68.google.com (mail-pj1-f68.google.com [209.85.216.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B425234E74F for ; Wed, 19 Nov 2025 13:38:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.68 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763559504; cv=none; b=eDbSuwz0pnhElBBUES4j72ZyfSTrgkFgyCybPMA3AVVA4A/R4+K0Ipx1IjduvbDiyCwU0oQqzyqtWa7Ab3HIKsW7FWTTikVSZXNHMcBRCoWDV5aJIyssECFofA6eHT377m9mkr1qtUb416Wka0KL/0tnu/thCxigTyAQ70MPowQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763559504; c=relaxed/simple; bh=0qU80fu0dZKqAV9HWfzbTdwSn8lOEuNgWIuw7pAl1FQ=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=aguuPyxn1iokFYWUGSM35astaoue/8LlJ2ZYmeKCAXlXH3dtym0t2Fnr7Xrxv0Py+CQPLda/Xy8qM2/9hRm7COFWuhlGT59nhn7YhVVvqeiHjOl4UhFXZRua+oKFDGMuV/TbjlWWEAk7BrShGYgnK3KKsx6gqKHY1K2Y3bJ7ry4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ee.vjti.ac.in; spf=none smtp.mailfrom=ee.vjti.ac.in; dkim=pass (1024-bit key) header.d=vjti.ac.in header.i=@vjti.ac.in header.b=KOAUk9WU; arc=none smtp.client-ip=209.85.216.68 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ee.vjti.ac.in Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=ee.vjti.ac.in Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=vjti.ac.in header.i=@vjti.ac.in header.b="KOAUk9WU" Received: by mail-pj1-f68.google.com with SMTP id 98e67ed59e1d1-34361025290so5131631a91.1 for ; Wed, 19 Nov 2025 05:38:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vjti.ac.in; s=google; t=1763559502; x=1764164302; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=tBH1paFXTcehxT4QWVpPVMUi1/uSoFqOUzJ/8Lmr994=; b=KOAUk9WUkiTLLl277I1zA5JbeS9RlKtw2alQX0dzXh6Z4aHs2pbwqqTK/1BC6RRnC5 wlehhxulp7lI4kNkNC2i9XlbB9iwIaVkz0XJRwwJb0ZQ2SYG9PLFgwcdmmRddxGbkC4d 8Z9/fIGtgn6CQuygivdD6kbKeqvG8EDC8pz+o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763559502; x=1764164302; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=tBH1paFXTcehxT4QWVpPVMUi1/uSoFqOUzJ/8Lmr994=; b=TXpN1AIuEyqiMOzm7mOJqUOJjdDNa3fbvUBebVt7ZRHOpYF25LeUMCJT9MLO/xVMqy vjue7defLL5FHWihxbq+4B6J6KNBkkhyVMXxWJzHZjzAY0osg+ycNrKgQZIO3BvmBl1i sckngVJM8VKRMibEKGasJs9hVBnoFjHN+EM0T8UFc2efJiB6Tm3ACvTkOASXlFuV5/93 T5hnQYnp2i+JM9XiV2JBrKETGWmcIBs6DVpeDkMfjAHDYigoVNUqI+13umyohxAak08q vCO3sBjGRgY/wFoM9KliM+kkLJMaCRU1gqwAGLa7Vm91ATAXb+ESW62YwBufduchyeGE n7PQ== X-Forwarded-Encrypted: i=1; AJvYcCWUkpiRqC9fOAoyRz3E4k0U6bZ3mY4jP3kZZ54WFcaemxRhkeZKuW4QCDV01Da7q0dVkk+mbbwKUoIE258=@vger.kernel.org X-Gm-Message-State: AOJu0YwyrfusrJP+lj56fpJPJkeN2yW4eyupFpk1XhU/6Se4CPjkoW/B CAJ7LlWec3Hf1fmTWWNlkFb14qrFKvy8yixke157ghema0b4fdwiP4bilswUmedxLuw= X-Gm-Gg: ASbGncssyfXD2ikzK5VMxG6NH7FMEWB1UByJ8seZwIaQIES2bkIAYJ1KwkapekBvc0r CDQcJTRlErslz2n16oCFu7imC9XvGB5O4xQPuq8MNl1kjubibruIQSzEummpv+BtB28CZdQp74h ob+tku+wjqgVAzYh6Ct2FoY56mzQ/U2oy/PsdSqtKMbmZwwKASjazsTH3p1AC1sHml+OFLwdfl+ V0r0g3YYVtoPmJ+ZPL+bdiJDmJF4sCAihwcRhDia2LQ3YgeujM5AqM4ud2eM7pwRqiKS8SNvzjU vzHO3GhxxHC2ff2O8cs7lLM7mwQZpccXLGPj6W4E5drkxjOZ2yzKL5H853VjldNAJZ9rPWi1vsd dJSVzXe2DTvW0p8/5x1tyj3EaArtk8b+sjThvINFG+Szkj2q7PnJS5MHPVW1mElQEolIucZB8f+ 24o6R3bicEpj7SqZ57n5w/QOur3HldKg6MRcxZhok1oSkiHOI0wSNfXRudb45cz7231yFJzGndI 1w9 X-Google-Smtp-Source: AGHT+IHHNBq8xvSVzoTsfO4QPAjwgiIHwukUdPe5JdTymryqzDGKGjkE8HCddxs/abUlkIdhe2q8+Q== X-Received: by 2002:a17:90b:1a86:b0:343:7714:4cab with SMTP id 98e67ed59e1d1-343fa52559cmr20451425a91.22.1763559501918; Wed, 19 Nov 2025 05:38:21 -0800 (PST) Received: from ranegod-HP-ENVY-x360-Convertible-13-bd0xxx.. ([14.139.108.62]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-345bc24f941sm2856614a91.10.2025.11.19.05.38.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Nov 2025 05:38:21 -0800 (PST) From: ssrane_b23@ee.vjti.ac.in X-Google-Original-From: ssranevjti@gmail.com To: Zsolt Kajtar , Simona Vetter , Helge Deller Cc: Shaurya Rane , linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, syzbot+5a40432dfe8f86ee657a@syzkaller.appspotmail.com Subject: [PATCH] fbdev: core: Fix vmalloc-out-of-bounds in fb_imageblit Date: Wed, 19 Nov 2025 19:08:21 +0530 Message-Id: <20251119133821.89998-1-ssranevjti@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Shaurya Rane syzbot reported a vmalloc-out-of-bounds write in fb_imageblit. The crash occurs when drawing an image at the very end of the framebuffer memory. The current bounds check in fb_imageblit limits the drawing height (max_y) by dividing the screen size by the line length. However, this calculation only ensures that the start of the last line fits within the buffer. It fails to account for the width of the image on that final line. If the image width (multiplied by bpp) exceeds the remaining space on the last line, the drawing routine writes past the end of the allocated video memory. This patch replaces the insufficient check with a more precise one. It calculates the effective width in bytes of the image (accounting for clipping against xres_virtual) and ensures that the last byte of the operation falls within the screen buffer. Specifically, it checks if '(dy + height - 1) * line_length + effective_width_bytes' exceeds screen_size. If it does, the drawing height max_y is reduced to prevent the out-of-bounds access. Reported-by: syzbot+5a40432dfe8f86ee657a@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D5a40432dfe8f86ee657a Signed-off-by: Shaurya Rane --- drivers/video/fbdev/core/fb_imageblit.h | 66 +++++++++++++++++++++++-- 1 file changed, 62 insertions(+), 4 deletions(-) diff --git a/drivers/video/fbdev/core/fb_imageblit.h b/drivers/video/fbdev/= core/fb_imageblit.h index 3b2bb4946505..0c0d05cff3f8 100644 --- a/drivers/video/fbdev/core/fb_imageblit.h +++ b/drivers/video/fbdev/core/fb_imageblit.h @@ -485,11 +485,69 @@ static inline void fb_imageblit(struct fb_info *p, co= nst struct fb_image *image) struct fb_address dst =3D fb_address_init(p); struct fb_reverse reverse =3D fb_reverse_init(p); const u32 *palette =3D fb_palette(p); + struct fb_image clipped_image; + u32 max_x, max_y; + unsigned long max_offset_bytes; + + /* Validate basic parameters */ + if (!image || !p->screen_buffer || !p->screen_size || + !image->width || !image->height) + return; + + /* Calculate maximum addressable coordinates based on virtual resolution = and buffer size */ + max_x =3D p->var.xres_virtual; + max_y =3D p->var.yres_virtual; + + /* Check against actual buffer size to prevent vmalloc overflow */ + { + unsigned long effective_width_bytes; + u32 right_edge =3D image->dx + image->width; + + if (right_edge < image->dx) + right_edge =3D max_x; + else + right_edge =3D min(right_edge, max_x); + + effective_width_bytes =3D (unsigned long)right_edge * bpp; + effective_width_bytes =3D (effective_width_bytes + 7) / 8; + + if (effective_width_bytes > p->screen_size) { + max_y =3D 0; + } else if (p->fix.line_length) { + u32 max_lines =3D (p->screen_size - effective_width_bytes) / + p->fix.line_length + 1; + if (max_lines < max_y) + max_y =3D max_lines; + } + } + + /* If image is completely outside bounds, skip it */ + if (image->dx >=3D max_x || image->dy >=3D max_y) + return; + + /* Create clipped image - clip to virtual resolution bounds */ + clipped_image =3D *image; + + /* Clip width if it extends beyond right edge */ + if (clipped_image.dx + clipped_image.width > max_x) { + if (clipped_image.dx < max_x) + clipped_image.width =3D max_x - clipped_image.dx; + else + return; /* completely outside */ + } + + /* Clip height if it extends beyond bottom edge */ + if (clipped_image.dy + clipped_image.height > max_y) { + if (clipped_image.dy < max_y) + clipped_image.height =3D max_y - clipped_image.dy; + else + return; /* completely outside */ + } =20 - fb_address_forward(&dst, image->dy * bits_per_line + image->dx * bpp); + fb_address_forward(&dst, clipped_image.dy * bits_per_line + clipped_image= .dx * bpp); =20 - if (image->depth =3D=3D 1) - fb_bitmap_imageblit(image, &dst, bits_per_line, palette, bpp, reverse); + if (clipped_image.depth =3D=3D 1) + fb_bitmap_imageblit(&clipped_image, &dst, bits_per_line, palette, bpp, r= everse); else - fb_color_imageblit(image, &dst, bits_per_line, palette, bpp, reverse); + fb_color_imageblit(&clipped_image, &dst, bits_per_line, palette, bpp, re= verse); } --=20 2.34.1