Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp3254036pxb;
        Sun, 29 Aug 2021 19:31:07 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxpNlc7ILIq7qg4+OTKZANE+IJjKoaomUa8AQcZRj+qHvlhzSm3x9dWts8mvNWdIBT+I0lc
X-Received: by 2002:a17:906:af9a:: with SMTP id mj26mr22233906ejb.96.1630290666937;
        Sun, 29 Aug 2021 19:31:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1630290666; cv=none;
        d=google.com; s=arc-20160816;
        b=q4Da9UDjajrgLthG9cvVOAEzpuR6yv5cvKtWCy+831KBp9OH7LpWSWI0/hW8aWQT8U
         qvW5tN2a+4c50Iy6GxMWhoPw3+rSWndL+gpntVjWDZijkFgUGuXe6neBl5Y7ekDBDlTa
         VzA/3jo/zQymD8PTrLb4qB9KKFehWNmLmbeiCGkMt0e8K1JkdVWsBSeaCAbDQ0X7DINg
         DPDbounqVxi5IOyLKH3KJSYt25ohrpTaiPanrUw5yvG1FYsgBjPMEgjD+8an5zCNCSZq
         w0hUM8fXrwnOeGqCywr0jUckuHW9N4UQFbbe5FQcXOiYtcp0R65PwTAocVWTod5fgnNW
         LhTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject;
        bh=/1rrEKz+OVPyVj0NFYMH4dI8MWRgTGEU9jQaviCidIE=;
        b=gW+KRhLzRVxF5nIh+9YSiGQrMNrxU67fIzQxivlUCaA2cUh/ByZxnGJRggPxhBL9J/
         /TuoetMUIvm5eMRYg19HL4i4RONn740hr6XHNpHZFdZHyopP2hwMF7qfnNjP24R4WXRL
         Q8HHuSnSywMa6kxoLB1bvEZGooLuHIjcF3/0QiMgmEE24Vjchyc9sZXQHPpp/YA9lu93
         uFxVj67qRmTTg1dfgffkbL4arC5Z6+/myeYcVfeglUKXoQ+Uk90Wvjvuy0Rrmq7YuqXn
         MX0IyA2JC78Wd/aF1vRuo+KtIKms2HYc55AYVeYbb4Y5lOFJjp4x+057lc0ljZaFwj0J
         WSAA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id bm24si11964277ejb.577.2021.08.29.19.30.43;
        Sun, 29 Aug 2021 19:31:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236201AbhH3C2Y (ORCPT <rfc822;liunan257@gmail.com> + 99 others);
        Sun, 29 Aug 2021 22:28:24 -0400
Received: from www262.sakura.ne.jp ([202.181.97.72]:62223 "EHLO
        www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235940AbhH3C2X (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 29 Aug 2021 22:28:23 -0400
Received: from fsav313.sakura.ne.jp (fsav313.sakura.ne.jp [153.120.85.144])
        by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 17U2RT56028520;
        Mon, 30 Aug 2021 11:27:29 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav313.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav313.sakura.ne.jp);
 Mon, 30 Aug 2021 11:27:29 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav313.sakura.ne.jp)
Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33])
        (authenticated bits=0)
        by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 17U2RS7V028517
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO);
        Mon, 30 Aug 2021 11:27:28 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Subject: Re: [syzbot] BUG: unable to handle kernel paging request in
 vga16fb_fillrect
To:     Randy Dunlap <rdunlap@infradead.org>
Cc:     Geert Uytterhoeven <geert@linux-m68k.org>,
        syzbot <syzbot+04168c8063cfdde1db5e@syzkaller.appspotmail.com>,
        akpm@linux-foundation.org, b.zolnierkie@samsung.com,
        colin.king@canonical.com, dri-devel@lists.freedesktop.org,
        linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        masahiroy@kernel.org, syzkaller-bugs@googlegroups.com
References: <000000000000815b9605c70e74f8@google.com>
 <131b24e5-ee31-6f7b-42b4-c34583711913@infradead.org>
From:   Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Message-ID: <2fccb5d3-191c-924e-159f-1c9d423e282f@i-love.sakura.ne.jp>
Date:   Mon, 30 Aug 2021 11:27:27 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <131b24e5-ee31-6f7b-42b4-c34583711913@infradead.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2021/08/30 9:24, Randy Dunlap wrote:
> Note that yres_virtual is set to 0x10000000. Is there no practical limit
> (hence limit check) that can be used here?
> 
> Also, in vga16fb_check_var(), beginning at line 404:
> 
>   404        if (yres > vyres)
>   405            vyres = yres;
>   406        if (vxres * vyres > maxmem) {
>   407            vyres = maxmem / vxres;
>   408            if (vyres < yres)
>   409                return -ENOMEM;
>   410        }
> 
> At line 406, the product of vxres * vyres overflows 32 bits (is 0 in this
> case/example), so any protection from this block is lost.

OK. Then, we can check overflow like below.

diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c
index e2757ff1c23d..e483a3f5fd47 100644
--- a/drivers/video/fbdev/vga16fb.c
+++ b/drivers/video/fbdev/vga16fb.c
@@ -403,7 +403,7 @@ static int vga16fb_check_var(struct fb_var_screeninfo *var,
 
 	if (yres > vyres)
 		vyres = yres;
-	if (vxres * vyres > maxmem) {
+	if ((u64) vxres * vyres > (u64) maxmem) {
 		vyres = maxmem / vxres;
 		if (vyres < yres)
 			return -ENOMEM;

But I think we can check overflow in the common code like below. (Both patch fixed the oops.)

diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 1c855145711b..8899679bbc46 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1008,6 +1008,11 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var)
 	if (var->xres < 8 || var->yres < 8)
 		return -EINVAL;
 
+	/* Don't allow u32 * u32 to overflow. */
+	if ((u64) var->xres * var->yres > (u64) UINT_MAX ||
+	    (u64) var->xres_virtual * var->yres_virtual > (u64) UINT_MAX)
+		return -EINVAL;
+
 	ret = info->fbops->fb_check_var(var, info);
 
 	if (ret)

> 
> But even if yres_virtual (aka vyres) is "only" 0x01000000, so no
> multiplication overflow occurs, the resulting value of vyres "seems"
> to still be too large and can cause an error [I'm not sure about this
> last part -- I need to use a new gcc so that KASAN will work.]