Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)

From: Khalid Masum
Date: Mon Aug 01 2022 - 11:42:39 EST

Next message: Denis V. Lunev: "Re: [PATCH 1/2] neigh: fix possible DoS due to net iface start/stop loop"
Previous message: Waiman Long: "[PATCH v2 2/2] cgroup/cpuset: Keep user set cpus affinity"
In reply to: Khalid Masum: "Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)"
Next in thread: syzbot: "Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#syz test: https://github.com/torvalds/linux.git 3d7cb6b04c3f

---
drivers/video/fbdev/core/fbcon.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 1a9aa12cf886..d026f3845b60 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2591,14 +2591,13 @@ static unsigned long fbcon_getxy(struct vc_data *vc, unsigned long pos,
{
unsigned long ret;
int x, y;
+ unsigned long offset = (pos - vc->vc_origin) / 2;
+ x = offset % vc->vc_cols;
+ y = offset / vc->vc_cols;
+ ret = pos + (vc->vc_cols - x) * 2;

- if (pos >= vc->vc_origin && pos < vc->vc_scr_end) {
- unsigned long offset = (pos - vc->vc_origin) / 2;
-
- x = offset % vc->vc_cols;
- y = offset / vc->vc_cols;
- ret = pos + (vc->vc_cols - x) * 2;
- } else {
+ if (pos < vc->vc_origin || pos >= vc->vc_scr_end ||
+ ret >= vc->vc_scr_end) {
/* Should not happen */
x = y = 0;
ret = vc->vc_origin;
--
2.36.1

Next message: Denis V. Lunev: "Re: [PATCH 1/2] neigh: fix possible DoS due to net iface start/stop loop"
Previous message: Waiman Long: "[PATCH v2 2/2] cgroup/cpuset: Keep user set cpus affinity"
In reply to: Khalid Masum: "Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)"
Next in thread: syzbot: "Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]