Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2319034pxb; Mon, 20 Sep 2021 18:41:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwY7fgErfueTPUYp71ty64wrnkM+g0XPfw34nErRd5bOWkXL+DUjVwiAQlq5ru4HKEJIxqn X-Received: by 2002:a05:6e02:12e1:: with SMTP id l1mr10998152iln.286.1632188507963; Mon, 20 Sep 2021 18:41:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632188507; cv=none; d=google.com; s=arc-20160816; b=Beo7XSsbw+UJiKmuye8C+1J4aVGNjoVvADZCKtRRCzmXiYzxJLtNOvYQLRN8Y7ce6W cRqC7UoVJn3KVRzvVZYYvt2iN6UYGbfE4fQTzOunSdSec4FUNF44bIqz8uzpZEyqanEz bPJZ2g3RFQXrCF30gV4wP8uSWKmMh3VA0gb4OjJkoTXKmeoGpwKtND2Rqe6PPZrmEAIB jrkl+PBEIHo/ZzxOqgMxiIb/GKHVVh90MEUPNUuUA0lo/GrphAUNxfQstxuWuxyeY07G ttiZ8JfRQfrDLDZFol5f3BXLXTqY2TPuiJPNsjWKpmCZC2Sa11MFh9Z8M3s8Omft9Xqq B1fg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=9K0lQu7ajrTxtU5vNJhfDqPwvz/1WM5W4e9YJYpggZI=; b=F5ox+BrAPxQuFT0PWj8UHS6pa6oBq+WNgx/dyCp+h6mi5INBdyhGjkeNpYf/ilIqQV WicrWOLav7LGdHDEIJrKeyhctIZpu2ZQwf82tWrsHItkI+IzNeW9A8yWWavkhd1BCyfy USLSa7f7GuUoqAh+gny0NGWLUnzxmeFo1o6lW7UzRUja2ArssXLzc7gwOjQc9N3Rbp+i 6Y25H7r7OXKdciupZo7DdTAd6zneLkubCxNLfbf5AMmvujA4ofbnqY/ZGMGjcMtnhmfs yjpPbUMY+Zb+pfcqPzT5WHILgHhQNjMLKlcVr7vxGVkwPIulmyHQ9tqubTGyBg8r3kJd UYFg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YIMgAzXX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i3si16835214iom.99.2021.09.20.18.41.36; Mon, 20 Sep 2021 18:41:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YIMgAzXX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243121AbhITQuq (ORCPT + 99 others); Mon, 20 Sep 2021 12:50:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:35830 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240497AbhITQtK (ORCPT ); Mon, 20 Sep 2021 12:49:10 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id AAADC61245; Mon, 20 Sep 2021 16:47:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632156463; bh=JoJnfJUhrHuuTFazKuu0Ypzikb0GMKaDZPZ1lsyY3es=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YIMgAzXXYvsIntRvadlw1bE6V2aKqe78cu/hz9WRlYUNCO/rYqHnUszn91Uj7ZRw1 e+tiTSvVOXQqj8VY/svnIk6MAKvTgl1z7fbeulXV4xJE7Wr1eVFH5dT6r4zRuOfIlD nmR7o0RJKz5ExN+wFTjA3YyaL5B4ygcaLbfOjY1g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot , Tetsuo Handa , Geert Uytterhoeven , Daniel Vetter , Randy Dunlap Subject: [PATCH 4.4 071/133] fbmem: dont allow too huge resolutions Date: Mon, 20 Sep 2021 18:42:29 +0200 Message-Id: <20210920163914.971126444@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163912.603434365@linuxfoundation.org> References: <20210920163912.603434365@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tetsuo Handa commit 8c28051cdcbe9dfcec6bd0a4709d67a09df6edae upstream. syzbot is reporting page fault at vga16fb_fillrect() [1], for vga16fb_check_var() is failing to detect multiplication overflow. if (vxres * vyres > maxmem) { vyres = maxmem / vxres; if (vyres < yres) return -ENOMEM; } Since no module would accept too huge resolutions where multiplication overflow happens, let's reject in the common path. Link: https://syzkaller.appspot.com/bug?extid=04168c8063cfdde1db5e [1] Reported-by: syzbot Debugged-by: Randy Dunlap Signed-off-by: Tetsuo Handa Reviewed-by: Geert Uytterhoeven Cc: stable@vger.kernel.org Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/185175d6-227a-7b55-433d-b070929b262c@i-love.sakura.ne.jp Signed-off-by: Greg Kroah-Hartman --- drivers/video/fbdev/core/fbmem.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -32,6 +32,7 @@ #include #include #include +#include #include @@ -981,6 +982,7 @@ fb_set_var(struct fb_info *info, struct if ((var->activate & FB_ACTIVATE_FORCE) || memcmp(&info->var, var, sizeof(struct fb_var_screeninfo))) { u32 activate = var->activate; + u32 unused; /* When using FOURCC mode, make sure the red, green, blue and * transp fields are set to 0. @@ -1005,6 +1007,11 @@ fb_set_var(struct fb_info *info, struct if (var->xres < 8 || var->yres < 8) return -EINVAL; + /* Too huge resolution causes multiplication overflow. */ + if (check_mul_overflow(var->xres, var->yres, &unused) || + check_mul_overflow(var->xres_virtual, var->yres_virtual, &unused)) + return -EINVAL; + ret = info->fbops->fb_check_var(var, info); if (ret)