Received: by 2002:a05:6a10:6d25:0:0:0:0 with SMTP id gq37csp1850942pxb; Mon, 13 Sep 2021 06:55:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzsIlP1OIVEtrxCf4znDIgV7S+9ZhO9MS5Bf+BB0tE+Jo9yT6V34mFHdcNQOaa8+TTSJxIc X-Received: by 2002:a05:6402:1841:: with SMTP id v1mr13509860edy.170.1631541359723; Mon, 13 Sep 2021 06:55:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631541359; cv=none; d=google.com; s=arc-20160816; b=frKMK0v9Vstz6Q1YRf2nXN4ZBvVrErX9mEFx6ulTaB50VusMg0PGeLlZcMfAUj77Bh EJJQHLcPoV/2dOHQkQOIry8yjvSO9QpblSC+VlkjAtoqKE1I4bs0C34bIB3cAdezzfbS CdgGI5g851DYisGKePtASew2blIrvTBkbvOqF4K0xbDmh8tBLOxb4DN4LvU0y2v7EPTy SOPHRDM81hBluHL9qWTju4sZksxk7FRczsCx9+TB+CsCBZ5RAagsms4CacB470o7X+hJ Sr9/YakjTUiQzq1yiwU+O9O9f+zE5gCwVEdzyZT8a4WzLPYMjbSgtb0LHXvveqwolkL9 LpDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=FNfF0vj/bkHTJGzxYtLvKR73eljfAUbQ6Bxb0wXZTcw=; b=A5hTuXn9+Rn2EqRoikbTDxgnuoiDXMTCAcFAoUBY2Iq67DLDqmtiTzvKpYvk1zbEHF 8KnSGO6DqaD5XyRK3lDxmm/yUz+weub2myFsTDdTEuWK/TXy0s3fioL4nf77rqINDqSI zShmuxUxfpVsraOH6NA1yrsTdD7j8vhL+uiMPQ6DxIfT45hGDZfbNrPHiZIW8pSO9B8Z AEkiipHAKjKKZCjv+tTtaq5SYbcG0j5CESPRXNH8xQN6YQYjX/T/WdNGWXMc3Z5BaKl2 397ZtUvfeZRRblj+GWQ9B+t92ja3fqCk8cUaRnuDoPYqRfXS3uWAGoga88rOg/JDfYQ1 qGdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=e8XoPA9J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c102si7706855edf.195.2021.09.13.06.55.32; Mon, 13 Sep 2021 06:55:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=e8XoPA9J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243929AbhIMNyD (ORCPT + 99 others); Mon, 13 Sep 2021 09:54:03 -0400 Received: from mail.kernel.org ([198.145.29.99]:59272 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243252AbhIMNsw (ORCPT ); Mon, 13 Sep 2021 09:48:52 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 72C9E61507; Mon, 13 Sep 2021 13:32:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631539973; bh=/g+trBMoQm5LAjyoHsSB+HdF4wGta3FusR7hgMEIbGE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=e8XoPA9JHWv7mc1TfYWh+SWPibVeusauKQry9NijRIDFAnqoxWyIDVaN7bwldUI4I akQyDEprybbo9/RS1F1c4iAtrMxqFcXX47i7kTeawVQS9bhbqnhc3wmYS3oCbxX/Nn LTZIW12v7T2swyCPe4N974KVNNz5vCignhjOoaGc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot , Tetsuo Handa , Geert Uytterhoeven , Daniel Vetter , Randy Dunlap Subject: [PATCH 5.10 234/236] fbmem: dont allow too huge resolutions Date: Mon, 13 Sep 2021 15:15:39 +0200 Message-Id: <20210913131108.302535853@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210913131100.316353015@linuxfoundation.org> References: <20210913131100.316353015@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tetsuo Handa commit 8c28051cdcbe9dfcec6bd0a4709d67a09df6edae upstream. syzbot is reporting page fault at vga16fb_fillrect() [1], for vga16fb_check_var() is failing to detect multiplication overflow. if (vxres * vyres > maxmem) { vyres = maxmem / vxres; if (vyres < yres) return -ENOMEM; } Since no module would accept too huge resolutions where multiplication overflow happens, let's reject in the common path. Link: https://syzkaller.appspot.com/bug?extid=04168c8063cfdde1db5e [1] Reported-by: syzbot Debugged-by: Randy Dunlap Signed-off-by: Tetsuo Handa Reviewed-by: Geert Uytterhoeven Cc: stable@vger.kernel.org Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/185175d6-227a-7b55-433d-b070929b262c@i-love.sakura.ne.jp Signed-off-by: Greg Kroah-Hartman --- drivers/video/fbdev/core/fbmem.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -962,6 +962,7 @@ fb_set_var(struct fb_info *info, struct struct fb_var_screeninfo old_var; struct fb_videomode mode; struct fb_event event; + u32 unused; if (var->activate & FB_ACTIVATE_INV_MODE) { struct fb_videomode mode1, mode2; @@ -1008,6 +1009,11 @@ fb_set_var(struct fb_info *info, struct if (var->xres < 8 || var->yres < 8) return -EINVAL; + /* Too huge resolution causes multiplication overflow. */ + if (check_mul_overflow(var->xres, var->yres, &unused) || + check_mul_overflow(var->xres_virtual, var->yres_virtual, &unused)) + return -EINVAL; + ret = info->fbops->fb_check_var(var, info); if (ret)