|
Thomas Zimmermann |
2e6300 |
From 2b09d5d364986f724f17001ccfe4126b9b43a0be Mon Sep 17 00:00:00 2001
|
|
Thomas Zimmermann |
2e6300 |
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Thomas Zimmermann |
2e6300 |
Date: Sun, 29 Jan 2023 16:17:40 +0100
|
|
Thomas Zimmermann |
2e6300 |
Subject: fbcon: Check font dimension limits
|
|
Thomas Zimmermann |
2e6300 |
Git-commit: 2b09d5d364986f724f17001ccfe4126b9b43a0be
|
|
Thomas Zimmermann |
2e6300 |
Patch-mainline: v6.2-rc7
|
|
Thomas Zimmermann |
2e6300 |
References: bsc#1154048
|
|
Thomas Zimmermann |
2e6300 |
|
|
Thomas Zimmermann |
2e6300 |
blit_x and blit_y are u32, so fbcon currently cannot support fonts
|
|
Thomas Zimmermann |
2e6300 |
larger than 32x32.
|
|
Thomas Zimmermann |
2e6300 |
|
|
Thomas Zimmermann |
2e6300 |
The 32x32 case also needs shifting an unsigned int, to properly set bit
|
|
Thomas Zimmermann |
2e6300 |
31, otherwise we get "UBSAN: shift-out-of-bounds in fbcon_set_font",
|
|
Thomas Zimmermann |
2e6300 |
as reported on:
|
|
Thomas Zimmermann |
2e6300 |
|
|
Thomas Zimmermann |
2e6300 |
http://lore.kernel.org/all/IA1PR07MB98308653E259A6F2CE94A4AFABCE9@IA1PR07MB9830.namprd07.prod.outlook.com
|
|
Thomas Zimmermann |
2e6300 |
Kernel Branch: 6.2.0-rc5-next-20230124
|
|
Thomas Zimmermann |
2e6300 |
Kernel config: https://drive.google.com/file/d/1F-LszDAizEEH0ZX0HcSR06v5q8FPl2Uv/view?usp=sharing
|
|
Thomas Zimmermann |
2e6300 |
Reproducer: https://drive.google.com/file/d/1mP1jcLBY7vWCNM60OMf-ogw-urQRjNrm/view?usp=sharing
|
|
Thomas Zimmermann |
2e6300 |
|
|
Thomas Zimmermann |
2e6300 |
Reported-by: Sanan Hasanov <sanan.hasanov@Knights.ucf.edu>
|
|
Thomas Zimmermann |
2e6300 |
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Thomas Zimmermann |
2e6300 |
Fixes: 2d2699d98492 ("fbcon: font setting should check limitation of driver")
|
|
Thomas Zimmermann |
2e6300 |
Cc: stable@vger.kernel.org
|
|
Thomas Zimmermann |
2e6300 |
Tested-by: Miko Larsson <mikoxyzzz@gmail.com>
|
|
Thomas Zimmermann |
2e6300 |
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Thomas Zimmermann |
2e6300 |
Signed-off-by: Helge Deller <deller@gmx.de>
|
|
Thomas Zimmermann |
2e6300 |
Acked-by: Thomas Zimmermann <tzimmermann@suse.com>
|
|
Thomas Zimmermann |
2e6300 |
---
|
|
Thomas Zimmermann |
2e6300 |
drivers/video/console/fbcon.c | 7 +++++--
|
|
Thomas Zimmermann |
2e6300 |
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
Thomas Zimmermann |
2e6300 |
|
|
Thomas Zimmermann |
2e6300 |
diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c
|
|
Thomas Zimmermann |
2e6300 |
index 14a7d404062c..1b14c21af2b7 100644
|
|
Thomas Zimmermann |
2e6300 |
--- a/drivers/video/console/fbcon.c
|
|
Thomas Zimmermann |
2e6300 |
+++ b/drivers/video/console/fbcon.c
|
|
Thomas Zimmermann |
2e6300 |
@@ -2495,9 +2495,12 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font,
|
|
Thomas Zimmermann |
2e6300 |
h > FBCON_SWAP(info->var.rotate, info->var.yres, info->var.xres))
|
|
Thomas Zimmermann |
2e6300 |
return -EINVAL;
|
|
Thomas Zimmermann |
2e6300 |
|
|
Thomas Zimmermann |
2e6300 |
+ if (font->width > 32 || font->height > 32)
|
|
Thomas Zimmermann |
2e6300 |
+ return -EINVAL;
|
|
Thomas Zimmermann |
2e6300 |
+
|
|
Thomas Zimmermann |
2e6300 |
/* Make sure drawing engine can handle the font */
|
|
Thomas Zimmermann |
2e6300 |
- if (!(info->pixmap.blit_x & (1 << (font->width - 1))) ||
|
|
Thomas Zimmermann |
2e6300 |
- !(info->pixmap.blit_y & (1 << (font->height - 1))))
|
|
Thomas Zimmermann |
2e6300 |
+ if (!(info->pixmap.blit_x & BIT(font->width - 1)) ||
|
|
Thomas Zimmermann |
2e6300 |
+ !(info->pixmap.blit_y & BIT(font->height - 1)))
|
|
Thomas Zimmermann |
2e6300 |
return -EINVAL;
|
|
Thomas Zimmermann |
2e6300 |
|
|
Thomas Zimmermann |
2e6300 |
/* Make sure driver can handle the font length */
|
|
Thomas Zimmermann |
2e6300 |
--
|
|
Thomas Zimmermann |
2e6300 |
2.40.1
|
|
Thomas Zimmermann |
2e6300 |
|