fbcon: Fix global-out-of-bounds read in fbcon_get_font() - kernel/linux.git

diff options

author	Peilin Ye <yepeilin.cs@gmail.com>	2020-09-24 16:43:48 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-10-14 10:46:21 +0300
commit	0e3e69e0a8bc516e37ee3b496779b60e660b5ea5 (patch)
tree	42611482a9bff9ed8b2627f46bbcdef8bb0c4daa /include/crypto/cryptd.h
parent	17b0824cffb94d61866e5cdc59441a5a62576cf2 (diff)
download	linux-0e3e69e0a8bc516e37ee3b496779b60e660b5ea5.tar.xz

fbcon: Fix global-out-of-bounds read in fbcon_get_font()

commit 5af08640795b2b9a940c9266c0260455377ae262 upstream. fbcon_get_font() is reading out-of-bounds. A malicious user may resize `vc->vc_font.height` to a large value, causing fbcon_get_font() to read out of `fontdata`. fbcon_get_font() handles both built-in and user-provided fonts. Fortunately, recently we have added FONT_EXTRA_WORDS support for built-in fonts, so fix it by adding range checks using FNTSIZE(). This patch depends on patch "fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h", and patch "Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts". Cc: stable@vger.kernel.org Reported-and-tested-by: syzbot+29d4ed7f3bdedf2aa2fd@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/b34544687a1a09d6de630659eb7a773f4953238b.1600953813.git.yepeilin.cs@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'include/crypto/cryptd.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: