Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp3721917pxb; Mon, 30 Aug 2021 09:07:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyhIGBolhxj1HZDqckXO7K0lC45C+1tqMyOCrqAwAVZ6JY70pAwdsYlMECgGCB1aRT2qD0/ X-Received: by 2002:a05:6402:1512:: with SMTP id f18mr24870573edw.303.1630339650532; Mon, 30 Aug 2021 09:07:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630339650; cv=none; d=google.com; s=arc-20160816; b=YuR9VftNh9e45b5elRytuQp7wN1jr+pOG43q7huvLUP+yoNugBki2jdO0vOXCWhFdh YHxmvgp6Tgq/nKDYr7YS3fxPki5m49YCKPLd/XIdYqU06uo9UbrLSLwuwhqhH1EsJ3+F euMqWtNaJeuyzgIsejoy9tKVL0O1qf1X7FdjLPg30reAyMy1L+f+L5zUz4u/4vnNgypw o+Pw6i7xl0fQMHC6nn6vZTOGU0Vl1hyYoxbYQ3apm5/KQi9CBt2Ru+vtVNu6BCbvNM3z n8UrRDUKFc3VFdnPEWlDMrXV1jy8H5O1RhEIbQalKhk9pPwzv1RaTAQzOE/vnBhw9B8A HpEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=LVWnXPJgCPeqfd03c9Fku5lfXzbfKR2iATwZKf3haxs=; b=J2+zZ+dQcuN4GGSwd0OLGVWJsbG8daGAt3o0KHB49u5eqYtRrt3a1qMbsAYzOsHbVy xJW5ckKGeE7bTeS84d25+g2iwSqDLP4j8snJ/5Fc+UOlclI4zwqU//LvMU/ytUEzkIPp ACsF9ThM7o5c1WOhhRTJL/cO/2BTPvdTrjopmuzFv7R4TU4k/jI7lw6ImKNfVulPCKcf RNwJ3UZEufuaFORpUlFF++ECxxyEi+swZ30d/5293MW/ihYmlSZ79d4UuZyo09GMCOfI QlqS3pqk06oYdArqjazxO6cLE9t24HHf2IPSot7zs4qiKZPDOvG2ZWqWkBjBZJcu5aYK aO9g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g12si15479333edy.563.2021.08.30.09.06.53; Mon, 30 Aug 2021 09:07:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237822AbhH3QGD (ORCPT + 99 others); Mon, 30 Aug 2021 12:06:03 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:65103 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237750AbhH3QGD (ORCPT ); Mon, 30 Aug 2021 12:06:03 -0400 Received: from fsav312.sakura.ne.jp (fsav312.sakura.ne.jp [153.120.85.143]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 17UG571e040414; Tue, 31 Aug 2021 01:05:07 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav312.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav312.sakura.ne.jp); Tue, 31 Aug 2021 01:05:07 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav312.sakura.ne.jp) Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 17UG56nK040407 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Tue, 31 Aug 2021 01:05:07 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Subject: [PATCH] fbmem: don't allow too huge resolutions To: Daniel Vetter , Geert Uytterhoeven Cc: syzbot , akpm@linux-foundation.org, b.zolnierkie@samsung.com, colin.king@canonical.com, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, masahiroy@kernel.org, syzkaller-bugs@googlegroups.com, Randy Dunlap References: <000000000000815b9605c70e74f8@google.com> <131b24e5-ee31-6f7b-42b4-c34583711913@infradead.org> <2fccb5d3-191c-924e-159f-1c9d423e282f@i-love.sakura.ne.jp> <339bfb21-8e80-c7d9-46dd-c416f87c50c0@infradead.org> From: Tetsuo Handa Message-ID: <535e404d-03bf-8e7a-b296-132a2a98c599@i-love.sakura.ne.jp> Date: Tue, 31 Aug 2021 01:05:05 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: <339bfb21-8e80-c7d9-46dd-c416f87c50c0@infradead.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org syzbot is reporting page fault at vga16fb_fillrect() [1], for vga16fb_check_var() is failing to detect multiplication overflow. if (vxres * vyres > maxmem) { vyres = maxmem / vxres; if (vyres < yres) return -ENOMEM; } Since no module would accept too huge resolutions where multiplication overflow happens, let's reject in the common path. This patch does not use array_size(), for array_size() is allowed to return UINT_MAX on 32bits even if overflow did not happen. We want to detect only overflow here, for individual module will recheck with more strict limits as needed. Link: https://syzkaller.appspot.com/bug?extid=04168c8063cfdde1db5e [1] Reported-by: syzbot Debugged-by: Randy Dunlap Signed-off-by: Tetsuo Handa Tested-by: syzbot --- drivers/video/fbdev/core/fbmem.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 1c855145711b..9f5075dc2345 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1008,6 +1008,11 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var) if (var->xres < 8 || var->yres < 8) return -EINVAL; + /* Don't allow u32 * u32 to overflow. */ + if ((u64) var->xres * var->yres > UINT_MAX || + (u64) var->xres_virtual * var->yres_virtual > UINT_MAX) + return -EINVAL; + ret = info->fbops->fb_check_var(var, info); if (ret) -- 2.18.4