From nobody Mon Feb  9 02:12:21 2026
Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com
 [209.85.208.48])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CED5B50094E
	for <linux-kernel@vger.kernel.org>; Sun, 18 Jan 2026 00:19:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.208.48
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768695567; cv=none;
 b=ZWa+NVZO3D8uY5DYQWrkxWVs9DM4pODejecUa2EVCgx6QCAZuEdUj2h+aBsrsJyKjoC/kTLeJMkoEdSg8/T16Lr6F0acxiW2t1bLLe8+lmsra2APujOTmL2f6pBBnLuNxdBbBPs4hfUNlF3Wvcd05Cm+y1p8gs2efe4e0kgnjt4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768695567; c=relaxed/simple;
	bh=Dt0E/74VzliK78NzMtLSkuFaR98tIjDyPVEm1FW7i2M=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=djMnCcBXkE/6OCQLh+vThXrnRlImPH91Qnh0+W6XG8+ZkfhRrHbJbIl/X8glg8nwAlW31GddzNmPERBukmPDHgnpoORXmSps+mq5lBSoUS3k6ZpNhSAUoRtLsJUgMJwOb9V1Ox8V2khNzyTUJjzg8hTOZJWRA1it2QatJ80gHng=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=B/15JDJc; arc=none smtp.client-ip=209.85.208.48
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="B/15JDJc"
Received: by mail-ed1-f48.google.com with SMTP id
 4fb4d7f45d1cf-655afbca977so3020272a12.2
        for <linux-kernel@vger.kernel.org>;
 Sat, 17 Jan 2026 16:19:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768695563; x=1769300363;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=U8yPWNCbUsD1Zh7l62UZjxa3bF9d9nEOvTtSBxLfUzc=;
        b=B/15JDJcNr0gJ2Pb7leBaq3HkEXBgJzhbZRe1+RXTP/HA9AhLJxUlktvESECQD2dNE
         hS/uGNlxtMvXI54CzAULbv5dbYHi+mhRJlKTLRiYK4A3Sf2FLhVYBuv43dXB3su86qTm
         Z8jeRkcCIAvMd72TCbUy6T+HXKHtDSDAtueuN1RC7Am/JxS4T5jS7B3AePBcHTlNFtRo
         IPbKDoKZ/eZMNsbCWQRT7wtAswdCBXTXrXH2f9V925JPZlS/AledBvJ1Ph+Dt+PcoW5r
         BHSEt4XpnRaZNGMmbc4LjVnwi2lH+XYT2IvgZPkheM6eqlv2cf8eZcayqcydfCwf0/Z1
         mQfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768695563; x=1769300363;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=U8yPWNCbUsD1Zh7l62UZjxa3bF9d9nEOvTtSBxLfUzc=;
        b=ZLn8+vvncD+lTBIt2NpW5+ZrwVzu5c5y2X28LD5affXT6dJNpdSkfpH278SWa56MXH
         Qu5qL2gKreF9KZAqhommudfnMEH7uzjQ78PmHOBELZhnMvwLYbB7Lks2zQ2gwxmEvUAe
         yf2knNIB2d9H8W3Rl8seaMC6g64z6SicdnV/CtqIa64US45riD4DceMSgt2OkRXIpivz
         g+cjL/ob2UTW9xCheeMAliUr0KT/8Gg0graxK2C9lxOQsB/L33WXglb8LcSEzrJ1o/Oi
         oyAMRVtxHZsJEmhXAJiDe5vOhvtJJp+YLjI1h7WwoF5JbAI2fH8wjkpVbeCbIpJGa2em
         aWUA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVJV9R57AUzgbf2Mr273KLfhz70qZ3PFIgm0EnyfYa3w43yBeGk6rak6gvuDLek7RBXWqxMOGPSNisZwJE=@vger.kernel.org
X-Gm-Message-State: AOJu0YzbOcvHHnf9xgJOZcFr2RWrv/y//gBwqp64uUEe/qreje6Lhg26
	vNs+wh/9KeNSOE9lTaYz4j8vmUuMv5yNala5XCSD783Ah3KyL5qhksIQ
X-Gm-Gg: AY/fxX7bpUbdtiRhm4BMCYhegX0WzP4oqaKbEiRg6yuCf5u4f1+VkWU2UFE9vvtwufe
	jx6Y1l9PTCfLm9swRVu+EkoaaVB1rq5Uz8E9mfh3YzgsUQTkQzWRpkZzbLcL/63pBXuj01EyT6F
	BmbSbhfQ7YSC6ErHirvXpd4AovcjDDnEhRJGrZO+07ZEnyxQviMqzb9As51dodBVQaWi3B7A9f/
	XBeE38QkNdM4Xh4Bp27+QHS9ibxsyzMvJITPsGhqOrGSqGvB7HFwDcDLrxmvJ1l1NLdD1mW83A9
	q+/qTxHaifqlxMZCxX7kqXzJDIHtp/SruiSZeIzwcgmfK0zWDSHNLdBLm78BiYqMeAqkeOlBkGf
	6mVPFSrE20YUzZ5dRLJBeRVW/9AWYkGbDzWY47hIxQXI4W/ycnOxuZlIp3JNrVDsoryD+zWa3Qy
	1SnkpYjy9VOdpAzA==
X-Received: by 2002:a05:6402:5243:b0:640:ef6e:e069 with SMTP id
 4fb4d7f45d1cf-654524cf263mr4839330a12.1.1768695562948;
        Sat, 17 Jan 2026 16:19:22 -0800 (PST)
Received: from osama.. ([2a02:908:1b4:dac0:5102:ac1a:4cf6:b9b])
        by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-65452bce4f7sm6543849a12.6.2026.01.17.16.19.21
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 17 Jan 2026 16:19:22 -0800 (PST)
From: Osama Abdelkader <osama.abdelkader@gmail.com>
To: Zsolt Kajtar <soci@c64.rulez.org>,
	Simona Vetter <simona@ffwll.ch>,
	Helge Deller <deller@gmx.de>,
	Osama Abdelkader <osama.abdelkader@gmail.com>,
	Thomas Zimmermann <tzimmermann@suse.de>,
	linux-fbdev@vger.kernel.org,
	dri-devel@lists.freedesktop.org,
	linux-kernel@vger.kernel.org
Cc: syzbot+7a63ce155648954e749b@syzkaller.appspotmail.com
Subject: [PATCH] fbdev: sys_fillrect: Add bounds checking to prevent
 vmalloc-out-of-bounds
Date: Sun, 18 Jan 2026 01:18:48 +0100
Message-ID: <20260118001852.70173-1-osama.abdelkader@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The sys_fillrect function was missing bounds validation, which could lead
to vmalloc-out-of-bounds writes when the rectangle coordinates extend
beyond the framebuffer's virtual resolution. This was detected by KASAN
and reported by syzkaller.

Add validation to:
1. Check that width and height are non-zero
2. Verify that dx and dy are within virtual resolution bounds
3. Clip the rectangle dimensions to fit within virtual resolution if needed

This follows the same pattern used in other framebuffer drivers like
pm2fb_fillrect.

Reported-by: syzbot+7a63ce155648954e749b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D7a63ce155648954e749b
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
---
 drivers/video/fbdev/core/sysfillrect.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/core/sysfillrect.c b/drivers/video/fbdev/c=
ore/sysfillrect.c
index 12eea3e424bb..73fc322ff8fd 100644
--- a/drivers/video/fbdev/core/sysfillrect.c
+++ b/drivers/video/fbdev/core/sysfillrect.c
@@ -7,6 +7,7 @@
 #include <linux/module.h>
 #include <linux/fb.h>
 #include <linux/bitrev.h>
+#include <linux/string.h>
 #include <asm/types.h>
=20
 #ifdef CONFIG_FB_SYS_REV_PIXELS_IN_BYTE
@@ -18,10 +19,28 @@
=20
 void sys_fillrect(struct fb_info *p, const struct fb_fillrect *rect)
 {
+	struct fb_fillrect modded;
+	int vxres, vyres;
+
 	if (!(p->flags & FBINFO_VIRTFB))
 		fb_warn_once(p, "%s: framebuffer is not in virtual address space.\n", __=
func__);
=20
-	fb_fillrect(p, rect);
+	vxres =3D p->var.xres_virtual;
+	vyres =3D p->var.yres_virtual;
+
+	/* Validate and clip rectangle to virtual resolution */
+	if (!rect->width || !rect->height ||
+	    rect->dx >=3D vxres || rect->dy >=3D vyres)
+		return;
+
+	memcpy(&modded, rect, sizeof(struct fb_fillrect));
+
+	if (modded.dx + modded.width > vxres)
+		modded.width =3D vxres - modded.dx;
+	if (modded.dy + modded.height > vyres)
+		modded.height =3D vyres - modded.dy;
+
+	fb_fillrect(p, &modded);
 }
 EXPORT_SYMBOL(sys_fillrect);
=20
--=20
2.43.0