Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp13979673rwd;
        Sat, 24 Jun 2023 09:36:59 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ4/0xGQzLNLIsyimu8iMgyUduzKGOcph9bPHLlI2c+gtu8qGIdunxLTBRzZDtqM6LIgV5Bj
X-Received: by 2002:a05:6a20:324e:b0:125:aeeb:f8cb with SMTP id hm14-20020a056a20324e00b00125aeebf8cbmr3418022pzc.10.1687624619116;
        Sat, 24 Jun 2023 09:36:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1687624619; cv=none;
        d=google.com; s=arc-20160816;
        b=GjjfiKeSBHVK8i5VpX+RFE0GaNZ+Y/diNnXIBtwmWlT1psA2ZZPOgvF8mnTHW1J2Cx
         +Zgn824G1Tg2ERGZta3w3bmsyfrwJin0X4OD/F2f2tcahBia1n8TI7EOZkNXj+vtyjgT
         utD9wY3JOqj6LSuP1yeQ8GBDOQhvAQuzbeAKZH8/Zyaor4nXMiyrm9ZrAcO0KAcNhKQs
         Y4IvscjJuNp+LLHUPiQ8pwdP7BDD6mW2hvBquPf34yzc6401esnkLDkl6ux0We3U4/rZ
         QLA7kk3Bqbg6EGNPYK+tzMSwXG4BeQ9P1bKtMJ+/p+XhZV/TCej0d14MEN9qOZSUx7Wf
         ZaFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version:date
         :subject:cc:to:from:message-id:dkim-signature;
        bh=t9PX+gmI/UcKkpcbDt6R77sgA+FoIjM4NOaJUDP49iw=;
        fh=IwPe9qJpndxLEbvaxmHPXjHba7vI8Eeke+Gr0CTbu9Q=;
        b=K0MrDt0CLGiV9E40O3CmWqpJ9ga27/CuXipdHZ2t/yzt+74RK8X2h6uKwqz5hIyg2y
         rsmoQyJK/2K1h2n8GvkNG7uzwE4IAAjawuc+3aibWgfixGHAJaqbv+CCTXQILXk31q8l
         9EoZzzM4fdcbzTDogqrudYUyS+ckRdL6kncRjru5cXCP/YdUbjivmPg/iW9/s26aXTzY
         pexffPQx4LD7id7Zc4227SgneISl7X105lOPfJRP2RxTwe1kWnUiYqAe037Oxwjl9tGv
         PGMi9DcqNTAsKDzLNJQihFItkCCslNBQDTAsYlmcDLa1aXF9PQmAb6GA3X2iTmjGMpLB
         oEYw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@foxmail.com header.s=s201512 header.b=LlU9ooFa;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foxmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id t19-20020a63dd13000000b00553810ea8e5si1835141pgg.303.2023.06.24.09.36.41;
        Sat, 24 Jun 2023 09:36:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@foxmail.com header.s=s201512 header.b=LlU9ooFa;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foxmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232835AbjFXQSY (ORCPT <rfc822;aki.vanness@gmail.com>
        + 99 others); Sat, 24 Jun 2023 12:18:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58208 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229485AbjFXQSW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 24 Jun 2023 12:18:22 -0400
Received: from out162-62-57-137.mail.qq.com (out162-62-57-137.mail.qq.com [162.62.57.137])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 839621BC1;
        Sat, 24 Jun 2023 09:18:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foxmail.com;
        s=s201512; t=1687623491;
        bh=t9PX+gmI/UcKkpcbDt6R77sgA+FoIjM4NOaJUDP49iw=;
        h=From:To:Cc:Subject:Date;
        b=LlU9ooFauSX2TF5vuDT7+eRYQ+SFZ7Sg6xnkipyLIJR25pp/9F/p2FX1lXQ5J3faW
         ZrUe9yTBVke4sMU4k+cmTkiF0PxNiBhQIUhR89q/j3b8AYxIx41j/hkffO5s0TrAlK
         idqI7hvQ5tjD2zFFlzaw20j89tbUUa9ADG7Ut0dQ=
Received: from localhost.localdomain ([220.243.191.12])
        by newxmesmtplogicsvrszc2-0.qq.com (NewEsmtp) with SMTP
        id 4369B8A1; Sun, 25 Jun 2023 00:16:54 +0800
X-QQ-mid: xmsmtpt1687623414t8wdy9pz9
Message-ID: <tencent_72AB00ACD94346E10E954A42FBC6A3567E05@qq.com>
X-QQ-XMAILINFO: NRsgaNGnQ1mYXSLvJsE20/BEtApm6wd+h+4qUWSseRo64YtLfRF/SEx46U+keq
         FPzj9eNWVCNEJMblY/Bpjz4MPrAE2G4RLGZ4IaWAHbkjBxeJNST5FZobvO6OM9vUEAYqOw+r43Nm
         tmOUCQE3Tt7Cp1nsf1+jmjBo9hKOnBTkAmgWax7COrfEh6QVSjLfjdoxEtCiOsjZVWv82ItIwPgP
         LaXfZaVSXkAwabzm5TVHAccuDYcRpgPfvJRzS8jroXgfq5KD9w7kXuWBE4cK9qNIropRTRzbYSah
         e0yMBKyOoCTT/eEVmLn+ykmfnfAC7fcQbQXLhFNH3ejutAWClDD97IqB6clvSrVmk1xCCd97hASv
         zKJzEedCqRapGz6BztSOMHBd95Pum4sRd+tLmm0s5rx7hnGDuhmTDsRLfQ8DilvR/ND0eSB7fG0J
         D43g+cX27fnjkq+g49hx1Lp+zPoEGC/T0OSq6cp3dJJFOoAEDoD+N/iIWfEopvhyQaCZU2bJex+7
         yWfJXi3CYV8nWjEYCtskocqzdfYqwjlP+/u4sfKCxjiG55rHbhzjynCKkmbdx5ongNLip9gkJNlb
         olcV28uAzuKXojZwTB1Qan6ooGGu2gaYfYzMGar+lD+80nX6Bo+57zt4m52Z5WwIlV3oIwOo9ob6
         Hxl/jr8ke/0//xJSQFQ9xG/JAxQDD8Div6uChBqg3j2txBmx2E08ycmsdfmlqLicATFho6pem5jx
         k5MMOMP4r/asT+J4VAumR6X47GDJLfZY2IXUXt2vfkRp6ecwCO8gHyHUmWRDynsjzUsGoPASgl5S
         bZegNrtzRjCwJog3+NZmzMeZWwyNMQqZcQazTQhl/Ejhv7hbnSgkTMAfSmRhNf9nN61llPdZOnJO
         /UCQMS6J6TKkqwUPKWeeXAJvDr+VaiJW304XEsj3TEJlXqGt9/jNJc38CQE7Ps4xltmEo3wc6XJG
         f9jkrE+j0m0v+LYcwpdqUtz1INWY4DJ0AdEgjseO5ty5689MC2FfkJ9bNE8BJs
X-QQ-XMRINFO: N9UmAew/oWQdyj+ues2o31rfXVIHRUyJrg==
From:   Zhang Shurong <zhang_shurong@foxmail.com>
To:     daniel@ffwll.ch
Cc:     deller@gmx.de, linux-fbdev@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        Zhang Shurong <zhang_shurong@foxmail.com>
Subject: [PATCH] video: fbdev: fix potential OOB read in fast_imageblit()
Date:   Sun, 25 Jun 2023 00:16:49 +0800
X-OQ-MSGID: <20230624161649.13823-1-zhang_shurong@foxmail.com>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        HELO_DYNAMIC_IPADDR,RCVD_IN_DNSWL_NONE,RDNS_DYNAMIC,SPF_HELO_NONE,
        SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

There is a potential OOB read at fast_imageblit, for
"colortab[(*src >> 4)]" can become a negative value due to
"const char *s = image->data, *src".
This change makes sure the index for colortab always positive
or zero.

Similar commit:
https://patchwork.kernel.org/patch/11746067

Potential bug report:
https://groups.google.com/g/syzkaller-bugs/c/9ubBXKeKXf4/m/k-QXy4UgAAAJ

Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
---
 drivers/video/fbdev/core/sysimgblt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/core/sysimgblt.c b/drivers/video/fbdev/core/sysimgblt.c
index 335e92b813fc..665ef7a0a249 100644
--- a/drivers/video/fbdev/core/sysimgblt.c
+++ b/drivers/video/fbdev/core/sysimgblt.c
@@ -189,7 +189,7 @@ static void fast_imageblit(const struct fb_image *image, struct fb_info *p,
 	u32 fgx = fgcolor, bgx = bgcolor, bpp = p->var.bits_per_pixel;
 	u32 ppw = 32/bpp, spitch = (image->width + 7)/8;
 	u32 bit_mask, eorx, shift;
-	const char *s = image->data, *src;
+	const u8 *s = image->data, *src;
 	u32 *dst;
 	const u32 *tab;
 	size_t tablen;
-- 
2.41.0