linux-fbdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
To: Randy Dunlap <rdunlap@infradead.org>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>,
	syzbot <syzbot+04168c8063cfdde1db5e@syzkaller.appspotmail.com>,
	akpm@linux-foundation.org, b.zolnierkie@samsung.com,
	colin.king@canonical.com, dri-devel@lists.freedesktop.org,
	linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	masahiroy@kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] BUG: unable to handle kernel paging request in vga16fb_fillrect
Date: Mon, 30 Aug 2021 11:27:27 +0900	[thread overview]
Message-ID: <2fccb5d3-191c-924e-159f-1c9d423e282f@i-love.sakura.ne.jp> (raw)
In-Reply-To: <131b24e5-ee31-6f7b-42b4-c34583711913@infradead.org>

On 2021/08/30 9:24, Randy Dunlap wrote:
> Note that yres_virtual is set to 0x10000000. Is there no practical limit
> (hence limit check) that can be used here?
> 
> Also, in vga16fb_check_var(), beginning at line 404:
> 
>   404        if (yres > vyres)
>   405            vyres = yres;
>   406        if (vxres * vyres > maxmem) {
>   407            vyres = maxmem / vxres;
>   408            if (vyres < yres)
>   409                return -ENOMEM;
>   410        }
> 
> At line 406, the product of vxres * vyres overflows 32 bits (is 0 in this
> case/example), so any protection from this block is lost.

OK. Then, we can check overflow like below.

diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c
index e2757ff1c23d..e483a3f5fd47 100644
--- a/drivers/video/fbdev/vga16fb.c
+++ b/drivers/video/fbdev/vga16fb.c
@@ -403,7 +403,7 @@ static int vga16fb_check_var(struct fb_var_screeninfo *var,
 
 	if (yres > vyres)
 		vyres = yres;
-	if (vxres * vyres > maxmem) {
+	if ((u64) vxres * vyres > (u64) maxmem) {
 		vyres = maxmem / vxres;
 		if (vyres < yres)
 			return -ENOMEM;

But I think we can check overflow in the common code like below. (Both patch fixed the oops.)

diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 1c855145711b..8899679bbc46 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1008,6 +1008,11 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var)
 	if (var->xres < 8 || var->yres < 8)
 		return -EINVAL;
 
+	/* Don't allow u32 * u32 to overflow. */
+	if ((u64) var->xres * var->yres > (u64) UINT_MAX ||
+	    (u64) var->xres_virtual * var->yres_virtual > (u64) UINT_MAX)
+		return -EINVAL;
+
 	ret = info->fbops->fb_check_var(var, info);
 
 	if (ret)

> 
> But even if yres_virtual (aka vyres) is "only" 0x01000000, so no
> multiplication overflow occurs, the resulting value of vyres "seems"
> to still be too large and can cause an error [I'm not sure about this
> last part -- I need to use a new gcc so that KASAN will work.]


  reply	other threads:[~2021-08-30  2:28 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-14  5:16 [syzbot] BUG: unable to handle kernel paging request in vga16fb_fillrect syzbot
2021-08-30  0:24 ` Randy Dunlap
2021-08-30  2:27   ` Tetsuo Handa [this message]
2021-08-30  2:31     ` Randy Dunlap
2021-08-30 16:05       ` [PATCH] fbmem: don't allow too huge resolutions Tetsuo Handa
2021-08-31  6:48         ` Geert Uytterhoeven
2021-08-31 15:23           ` Tetsuo Handa
2021-08-31 16:20             ` Daniel Vetter
2021-08-31 17:19             ` Geert Uytterhoeven
2021-08-31 18:53               ` Daniel Vetter
2021-08-31 18:56                 ` Geert Uytterhoeven
2021-08-31 19:04                   ` Daniel Vetter
2021-09-01  1:14                     ` [PATCH v2] " Tetsuo Handa
2021-09-01  7:12                       ` Geert Uytterhoeven
2021-09-08 10:27                       ` [PATCH v2 (repost)] " Tetsuo Handa
2021-09-08 16:52                         ` Daniel Vetter
2021-08-30 12:00     ` [syzbot] BUG: unable to handle kernel paging request in vga16fb_fillrect Geert Uytterhoeven
2021-08-30 13:00       ` Dan Carpenter
2021-08-30 13:37         ` Tetsuo Handa
2021-08-30 13:47           ` Dan Carpenter
2021-08-30 14:25             ` Tetsuo Handa
2021-08-30 14:29               ` Dan Carpenter
2021-08-30 14:30               ` Geert Uytterhoeven
2021-08-30 14:38                 ` Tetsuo Handa
2021-08-30 14:53                   ` Geert Uytterhoeven
2021-08-30 15:00                     ` Geert Uytterhoeven

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2fccb5d3-191c-924e-159f-1c9d423e282f@i-love.sakura.ne.jp \
    --to=penguin-kernel@i-love.sakura.ne.jp \
    --cc=akpm@linux-foundation.org \
    --cc=b.zolnierkie@samsung.com \
    --cc=colin.king@canonical.com \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=geert@linux-m68k.org \
    --cc=linux-fbdev@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=masahiroy@kernel.org \
    --cc=rdunlap@infradead.org \
    --cc=syzbot+04168c8063cfdde1db5e@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).