fbdev: sys_fillrect: Add bounds checking to prevent vmalloc-out-of-bounds

[PATCH] fbdev: sys_fillrect: Add bounds checking to prevent vmalloc-out-of-bounds

Posted by Osama Abdelkader 3 weeks ago

The sys_fillrect function was missing bounds validation, which could lead
to vmalloc-out-of-bounds writes when the rectangle coordinates extend
beyond the framebuffer's virtual resolution. This was detected by KASAN
and reported by syzkaller.

Add validation to:
1. Check that width and height are non-zero
2. Verify that dx and dy are within virtual resolution bounds
3. Clip the rectangle dimensions to fit within virtual resolution if needed

This follows the same pattern used in other framebuffer drivers like
pm2fb_fillrect.

Reported-by: syzbot+7a63ce155648954e749b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7a63ce155648954e749b
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
---
 drivers/video/fbdev/core/sysfillrect.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/core/sysfillrect.c b/drivers/video/fbdev/core/sysfillrect.c
index 12eea3e424bb..73fc322ff8fd 100644
--- a/drivers/video/fbdev/core/sysfillrect.c
+++ b/drivers/video/fbdev/core/sysfillrect.c
@@ -7,6 +7,7 @@
 #include <linux/module.h>
 #include <linux/fb.h>
 #include <linux/bitrev.h>
+#include <linux/string.h>
 #include <asm/types.h>
 
 #ifdef CONFIG_FB_SYS_REV_PIXELS_IN_BYTE
@@ -18,10 +19,28 @@
 
 void sys_fillrect(struct fb_info *p, const struct fb_fillrect *rect)
 {
+	struct fb_fillrect modded;
+	int vxres, vyres;
+
 	if (!(p->flags & FBINFO_VIRTFB))
 		fb_warn_once(p, "%s: framebuffer is not in virtual address space.\n", __func__);
 
-	fb_fillrect(p, rect);
+	vxres = p->var.xres_virtual;
+	vyres = p->var.yres_virtual;
+
+	/* Validate and clip rectangle to virtual resolution */
+	if (!rect->width || !rect->height ||
+	    rect->dx >= vxres || rect->dy >= vyres)
+		return;
+
+	memcpy(&modded, rect, sizeof(struct fb_fillrect));
+
+	if (modded.dx + modded.width > vxres)
+		modded.width = vxres - modded.dx;
+	if (modded.dy + modded.height > vyres)
+		modded.height = vyres - modded.dy;
+
+	fb_fillrect(p, &modded);
 }
 EXPORT_SYMBOL(sys_fillrect);
 
-- 
2.43.0

Re: [PATCH] fbdev: sys_fillrect: Add bounds checking to prevent vmalloc-out-of-bounds

Posted by Thomas Zimmermann 2 weeks, 6 days ago

Hi,

thanks for the patch.

Am 18.01.26 um 01:18 schrieb Osama Abdelkader:
> The sys_fillrect function was missing bounds validation, which could lead
> to vmalloc-out-of-bounds writes when the rectangle coordinates extend
> beyond the framebuffer's virtual resolution. This was detected by KASAN
> and reported by syzkaller.
>
> Add validation to:
> 1. Check that width and height are non-zero
> 2. Verify that dx and dy are within virtual resolution bounds
> 3. Clip the rectangle dimensions to fit within virtual resolution if needed

This is rather a problem with the caller of the fillrect helper and 
affects all drivers and all implementations of fb_fillrect. Clipping 
should happen in the fbcon functions before invoking ->fb_con.

Best regards
Thomas

>
> This follows the same pattern used in other framebuffer drivers like
> pm2fb_fillrect.
>
> Reported-by: syzbot+7a63ce155648954e749b@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=7a63ce155648954e749b
> Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
> ---
>   drivers/video/fbdev/core/sysfillrect.c | 21 ++++++++++++++++++++-
>   1 file changed, 20 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/core/sysfillrect.c b/drivers/video/fbdev/core/sysfillrect.c
> index 12eea3e424bb..73fc322ff8fd 100644
> --- a/drivers/video/fbdev/core/sysfillrect.c
> +++ b/drivers/video/fbdev/core/sysfillrect.c
> @@ -7,6 +7,7 @@
>   #include <linux/module.h>
>   #include <linux/fb.h>
>   #include <linux/bitrev.h>
> +#include <linux/string.h>
>   #include <asm/types.h>
>   
>   #ifdef CONFIG_FB_SYS_REV_PIXELS_IN_BYTE
> @@ -18,10 +19,28 @@
>   
>   void sys_fillrect(struct fb_info *p, const struct fb_fillrect *rect)
>   {
> +	struct fb_fillrect modded;
> +	int vxres, vyres;
> +
>   	if (!(p->flags & FBINFO_VIRTFB))
>   		fb_warn_once(p, "%s: framebuffer is not in virtual address space.\n", __func__);
>   
> -	fb_fillrect(p, rect);
> +	vxres = p->var.xres_virtual;
> +	vyres = p->var.yres_virtual;
> +
> +	/* Validate and clip rectangle to virtual resolution */
> +	if (!rect->width || !rect->height ||
> +	    rect->dx >= vxres || rect->dy >= vyres)
> +		return;
> +
> +	memcpy(&modded, rect, sizeof(struct fb_fillrect));
> +
> +	if (modded.dx + modded.width > vxres)
> +		modded.width = vxres - modded.dx;
> +	if (modded.dy + modded.height > vyres)
> +		modded.height = vyres - modded.dy;
> +
> +	fb_fillrect(p, &modded);
>   }
>   EXPORT_SYMBOL(sys_fillrect);
>   

-- 
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com
GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)

Re: [PATCH] fbdev: sys_fillrect: Add bounds checking to prevent vmalloc-out-of-bounds

Posted by Osama Abdelkader 2 weeks, 1 day ago

On Mon, Jan 19, 2026 at 08:38:31AM +0100, Thomas Zimmermann wrote:
> Hi,
> 
> thanks for the patch.
> 
> Am 18.01.26 um 01:18 schrieb Osama Abdelkader:
> > The sys_fillrect function was missing bounds validation, which could lead
> > to vmalloc-out-of-bounds writes when the rectangle coordinates extend
> > beyond the framebuffer's virtual resolution. This was detected by KASAN
> > and reported by syzkaller.
> > 
> > Add validation to:
> > 1. Check that width and height are non-zero
> > 2. Verify that dx and dy are within virtual resolution bounds
> > 3. Clip the rectangle dimensions to fit within virtual resolution if needed
> 
> This is rather a problem with the caller of the fillrect helper and affects
> all drivers and all implementations of fb_fillrect. Clipping should happen
> in the fbcon functions before invoking ->fb_con.
> 
> Best regards
> Thomas
> 
> > 
> > This follows the same pattern used in other framebuffer drivers like
> > pm2fb_fillrect.
> > 
> > Reported-by: syzbot+7a63ce155648954e749b@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=7a63ce155648954e749b
> > Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
> > ---
> >   drivers/video/fbdev/core/sysfillrect.c | 21 ++++++++++++++++++++-
> >   1 file changed, 20 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/video/fbdev/core/sysfillrect.c b/drivers/video/fbdev/core/sysfillrect.c
> > index 12eea3e424bb..73fc322ff8fd 100644
> > --- a/drivers/video/fbdev/core/sysfillrect.c
> > +++ b/drivers/video/fbdev/core/sysfillrect.c
> > @@ -7,6 +7,7 @@
> >   #include <linux/module.h>
> >   #include <linux/fb.h>
> >   #include <linux/bitrev.h>
> > +#include <linux/string.h>
> >   #include <asm/types.h>
> >   #ifdef CONFIG_FB_SYS_REV_PIXELS_IN_BYTE
> > @@ -18,10 +19,28 @@
> >   void sys_fillrect(struct fb_info *p, const struct fb_fillrect *rect)
> >   {
> > +	struct fb_fillrect modded;
> > +	int vxres, vyres;
> > +
> >   	if (!(p->flags & FBINFO_VIRTFB))
> >   		fb_warn_once(p, "%s: framebuffer is not in virtual address space.\n", __func__);
> > -	fb_fillrect(p, rect);
> > +	vxres = p->var.xres_virtual;
> > +	vyres = p->var.yres_virtual;
> > +
> > +	/* Validate and clip rectangle to virtual resolution */
> > +	if (!rect->width || !rect->height ||
> > +	    rect->dx >= vxres || rect->dy >= vyres)
> > +		return;
> > +
> > +	memcpy(&modded, rect, sizeof(struct fb_fillrect));
> > +
> > +	if (modded.dx + modded.width > vxres)
> > +		modded.width = vxres - modded.dx;
> > +	if (modded.dy + modded.height > vyres)
> > +		modded.height = vyres - modded.dy;
> > +
> > +	fb_fillrect(p, &modded);
> >   }
> >   EXPORT_SYMBOL(sys_fillrect);
> 
> -- 
> --
> Thomas Zimmermann
> Graphics Driver Developer
> SUSE Software Solutions Germany GmbH
> Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com
> GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)
> 
> 

Thanks for the info.

Best regards,
Osama