Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1007563yba; Thu, 4 Apr 2019 02:17:02 -0700 (PDT) X-Google-Smtp-Source: APXvYqzN59xraq6ySjO4plajqEmttRHvz9+n2RznCItwPzsmYzXrUs7lEPPbtLHc77oJgsWrM3FA X-Received: by 2002:a17:902:31c3:: with SMTP id x61mr5025803plb.143.1554369422550; Thu, 04 Apr 2019 02:17:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554369422; cv=none; d=google.com; s=arc-20160816; b=XI1VqYToKWT99EYvigMYkm+u6w1XIYZGOYynznCQXIAduqVUwYrhR2329esU69E/1u VmEGaIgqnCT1gOxaNQ5GSZF455QjGteYEYqQgBgLNkjOAdebsdPpWaKKi6xkNyLCpB8X J66l3JZSvC1Pzy+e879vLKPmsYaqZ7fa2i+yHOtKM9M6TwBAM5d19XMz2tsIBBCMrGWm 1iNVlxRieDyac3h/C2zjEE70QTeGiiIT8geaaU5v1kxaRgXXOTQB1O6hzYqyJ3JZGo+T dHolOJiXc4PV0JwnZUQsNax1dB0sRNYu0kKPmr8ZfCLKdkThocb+Oo+dgMN394aS0G7z 9vAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=wrfDP7SUzImvIOg9sJb4H+BYWn1VqkctgSCm67kjoOU=; b=f9nIIofNBR/z3m7nhDOd0vV6td2Mn1zHJuKSiP3JmFVdDbUiEeFo5zcg1xYTxSokOc EHDsFUxCnCZK9kBpbk0xEc7i9FJuJ7jB8jLlybnodDgVdRz6xVBsAbop0zfHvWSRgulQ 7OOtdzUxI3g7x32gZuqtX6YW2VTHjqfvwjcoUYcJz3BRAC7cDiw7p2cZrjobtq9Tm6Vv Xf4CHhLIkW3fRFAw+/Be/uwyJt1uQAVIiVu0WOhbrWwSryhWkvM/S6flITHgROKQTWLJ IqQE1G0QR04fDmhgDPOgDyCiTBUju+8XR1mDxOjbF+kbMtVMCZ9UZrqo510u6ArVVZdC s9TA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WcbVEJsK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h20si9224935pgv.352.2019.04.04.02.16.47; Thu, 04 Apr 2019 02:17:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WcbVEJsK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387809AbfDDJPA (ORCPT + 99 others); Thu, 4 Apr 2019 05:15:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:55840 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387798AbfDDJO7 (ORCPT ); Thu, 4 Apr 2019 05:14:59 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E0F562054F; Thu, 4 Apr 2019 09:14:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554369298; bh=dzFEw8RibLK6I7O5VaLffKsuRIfzw+3nMAgw1SvXEi0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WcbVEJsKhXFVJ6OY2yIZXaIhhjwIslv1HO0lwfgfsT6bXRFMVNV03V/DvzOwV25Lp 8IdPudTuWEhP1xWI/1L62zK1fPLI5vDiKimvFk5tVxndpoCgm5yrls5q1FCenme//a xCyA/hojzjr0zPq4h/27p5vW4/S4vyZQnKWGlZ98= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Manfred Schlaegl , Martin Kepplinger , Daniel Vetter , Bartlomiej Zolnierkiewicz , Sasha Levin Subject: [PATCH 5.0 158/246] fbdev: fbmem: fix memory access if logo is bigger than the screen Date: Thu, 4 Apr 2019 10:47:38 +0200 Message-Id: <20190404084624.702648189@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190404084619.236418459@linuxfoundation.org> References: <20190404084619.236418459@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 5.0-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit a5399db139cb3ad9b8502d8b1bd02da9ce0b9df0 ] There is no clipping on the x or y axis for logos larger that the framebuffer size. Therefore: a logo bigger than screen size leads to invalid memory access: [ 1.254664] Backtrace: [ 1.254728] [] (cfb_imageblit) from [] (fb_show_logo+0x620/0x684) [ 1.254763] r10:00000003 r9:00027fd8 r8:c6a40000 r7:c6a36e50 r6:00000000 r5:c06b81e4 [ 1.254774] r4:c6a3e800 [ 1.254810] [] (fb_show_logo) from [] (fbcon_switch+0x3fc/0x46c) [ 1.254842] r10:c6a3e824 r9:c6a3e800 r8:00000000 r7:c6a0c000 r6:c070b014 r5:c6a3e800 [ 1.254852] r4:c6808c00 [ 1.254889] [] (fbcon_switch) from [] (redraw_screen+0xf0/0x1e8) [ 1.254918] r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:c070d5a0 r5:00000080 [ 1.254928] r4:c6808c00 [ 1.254961] [] (redraw_screen) from [] (do_bind_con_driver+0x194/0x2e4) [ 1.254991] r9:00000000 r8:00000000 r7:00000014 r6:c070d5a0 r5:c070d5a0 r4:c070d5a0 So prevent displaying a logo bigger than screen size and avoid invalid memory access. Signed-off-by: Manfred Schlaegl Signed-off-by: Martin Kepplinger Cc: Daniel Vetter Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Sasha Levin --- drivers/video/fbdev/core/fbmem.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index cb43a2258c51..4721491e6c8c 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -431,6 +431,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, { unsigned int x; + if (image->width > info->var.xres || image->height > info->var.yres) + return; + if (rotate == FB_ROTATE_UR) { for (x = 0; x < num && image->dx + image->width <= info->var.xres; -- 2.19.1