Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)

From: Khalid Masum
Date: Sat Jul 30 2022 - 07:56:29 EST

Next message: Naveen Mamindlapalli: "[net-next PATCH v2 0/4] Add PTP support for CN10K silicon"
Previous message: yf.wang: "[PATCH] dma-debug: Fix overflow issue in bucket_find_contain"
In reply to: syzbot: "Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)"
Next in thread: syzbot: "Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#syz-test: https://github.com/torvalds/linux.git e0dccc3b76fb

---
drivers/video/fbdev/core/fbcon.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 1a9aa12cf886..d026f3845b60 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2591,14 +2591,13 @@ static unsigned long fbcon_getxy(struct vc_data *vc, unsigned long pos,
{
unsigned long ret;
int x, y;
+ unsigned long offset = (pos - vc->vc_origin) / 2;
+ x = offset % vc->vc_cols;
+ y = offset / vc->vc_cols;
+ ret = pos + (vc->vc_cols - x) * 2;

- if (pos >= vc->vc_origin && pos < vc->vc_scr_end) {
- unsigned long offset = (pos - vc->vc_origin) / 2;
-
- x = offset % vc->vc_cols;
- y = offset / vc->vc_cols;
- ret = pos + (vc->vc_cols - x) * 2;
- } else {
+ if (!pos >= vc->vc_origin || !pos < vc->vc_scr_end ||
+ !ret >= vc->vc_origin || !ret < vc->vc_scr_end) {
/* Should not happen */
x = y = 0;
ret = vc->vc_origin;
--
2.36.1

Next message: Naveen Mamindlapalli: "[net-next PATCH v2 0/4] Add PTP support for CN10K silicon"
Previous message: yf.wang: "[PATCH] dma-debug: Fix overflow issue in bucket_find_contain"
In reply to: syzbot: "Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)"
Next in thread: syzbot: "Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]