From e64242caef18b4a5840b0e7a9bff37abd4f4f933 Mon Sep 17 00:00:00 2001
From: Helge Deller <deller@gmx.de>
Date: Sat, 25 Jun 2022 13:00:34 +0200
Subject: [PATCH] fbcon: Prevent that screen size is smaller than font size
Git-commit: e64242caef18b4a5840b0e7a9bff37abd4f4f933
Patch-mainline: v5.19-rc6
References: CVE-2021-33655 bsc#1201635

[ backport note: the patch was heavily modified to be adaptable to the
  old kernel code where both fbcon and fbmem were still separated.
  The original patch exports fbcon_modechange_possible() from fbcon to
  be used by fbmem, but it's not possible with the old kernel.
  Hence, this patch makes fbcon_modechange_possible() to be called via
  the fb notifier instead.  fbmem calls the notifier with the new event
  type. -- tiwai ]

We need to prevent that users configure a screen size which is smaller than the
currently selected font size. Otherwise rendering chars on the screen will
access memory outside the graphics memory region.

This patch adds a new function fbcon_modechange_possible() which
implements this check and which later may be extended with other checks
if necessary.  The new function is called from the FBIOPUT_VSCREENINFO
ioctl handler in fbmem.c, which will return -EINVAL if userspace asked
for a too small screen size.

Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: stable@vger.kernel.org # v5.4+
Acked-by: Takashi Iwai <tiwai@suse.de>

---
 drivers/video/console/fbcon.c    |   29 +++++++++++++++++++++++++++++
 drivers/video/fbdev/core/fbmem.c |    7 ++++++-
 include/linux/fb.h               |    2 ++
 3 files changed, 37 insertions(+), 1 deletion(-)

--- a/drivers/video/console/fbcon.c
+++ b/drivers/video/console/fbcon.c
@@ -2676,6 +2676,32 @@ static void fbcon_set_all_vcs(struct fb_
 		fbcon_modechanged(info);
 }
 
+/* let fbcon check if it supports a new screen resolution */
+static int fbcon_modechange_possible(struct fb_info *info,
+				     struct fb_var_screeninfo *var)
+{
+	struct fbcon_ops *ops = info->fbcon_par;
+	struct vc_data *vc;
+	unsigned int i;
+
+	if (!ops)
+		return 0;
+
+	/* prevent setting a screen size which is smaller than font size */
+	for (i = first_fb_vc; i <= last_fb_vc; i++) {
+		vc = vc_cons[i].d;
+		if (!vc || vc->vc_mode != KD_TEXT ||
+			   registered_fb[con2fb_map[i]] != info)
+			continue;
+
+		if (vc->vc_font.width  > FBCON_SWAP(var->rotate, var->xres, var->yres) ||
+		    vc->vc_font.height > FBCON_SWAP(var->rotate, var->yres, var->xres))
+			return notifier_from_errno(-EINVAL);
+	}
+
+	return 0;
+}
+
 static int fbcon_mode_deleted(struct fb_info *info,
 			      struct fb_videomode *mode)
 {
@@ -3031,6 +3057,9 @@ static int fbcon_event_notify(struct not
 		idx = info->node;
 		fbcon_remap_all(idx);
 		break;
+	case FB_EVENT_MODE_CHANGE_CHECK:
+		ret = fbcon_modechange_possible(event->info, event->data);
+		break;
 	}
 done:
 	return ret;
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1123,7 +1123,12 @@ static long do_fb_ioctl(struct fb_info *
 			return -ENODEV;
 		}
 		info->flags |= FBINFO_MISC_USEREVENT;
-		ret = fb_set_var(info, &var);
+		event.info = info;
+		event.data = &var;
+		ret = fb_notifier_call_chain(FB_EVENT_MODE_CHANGE_CHECK, &event);
+		ret = notifier_to_errno(ret);
+		if (!ret)
+			ret = fb_set_var(info, &var);
 		info->flags &= ~FBINFO_MISC_USEREVENT;
 		unlock_fb_info(info);
 		console_unlock();
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -162,6 +162,8 @@ struct fb_cursor_user {
 #define FB_EARLY_EVENT_BLANK		0x10
 /*      A hardware display blank revert early change occured */
 #define FB_R_EARLY_EVENT_BLANK		0x11
+/* pre-check for mode change (used only by fbcon) */
+#define FB_EVENT_MODE_CHANGE_CHECK	0x12
 
 struct fb_event {
 	struct fb_info *info;