Re: [RFC PATCH] fbcon: Fix out-of-bounds memory in fbcon_putcs

[Helge Deller]

On 3/3/26 15:15, Helge Deller wrote:
> On 2/27/26 15:43, Chen Jun wrote:
> > When a font is set on an invisible console, the screen will not update.
> > However, the fontbuffer is not updated to match the new font dimensions.
> >
> > This inconsistency leads to out-of-bounds memory access when writing to
> > the tty bound to fbcon, as demonstrated by the following KASAN report:
> >
> > BUG: KASAN: slab-out-of-bounds in fb_pad_aligned_buffer+0xdf/0x140
> > Read of size 1 at addr ffff8881195a2280 by task a.out/971
> > Call Trace:
> >   <TASK>
> >   fb_pad_aligned_buffer+0xdf/0x140
> >   ud_putcs+0x88a/0xde0
> >   fbcon_putcs+0x319/0x430
> >   do_update_region+0x23c/0x3b0
> >   do_con_write+0x225c/0x67f0
> >   con_write+0xe/0x30
> >   n_tty_write+0x4b5/0xff0
> >   file_tty_write.isra.41+0x46c/0x880
> >   vfs_write+0x868/0xd60
> >   ksys_write+0xf2/0x1d0
> >   do_syscall_64+0xfa/0x570
> >
> > Fix this by calling fbcon_rotate_font() if vc is invisible in
> > fbcon_do_set_font().
> >
> > Signed-off-by: Chen Jun <chenjun102@xxxxxxxxxx>
> > ---
> >   drivers/video/fbdev/core/fbcon.c | 5 +++++
> >   1 file changed, 5 insertions(+)
>
> applied to fbdev git tree.

I got a compile error:

hppa-linux-gnu-ld: drivers/video/fbdev/core/fbcon.o: in function `fbcon_do_set_font':
/home/cvs/parisc/git-kernel/linus-linux-2.6/drivers/video/fbdev/core/fbcon.c:2392:(.text+0x1e28): undefined reference to `fbcon_rotate_font'
make[3]: *** [/home/cvs/parisc/git-kernel/linus-linux-2.6/scripts/Makefile.vmlinux:72: vmlinux.unstripped] Error 1

I modified your patch like this:

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index a58ce1fe320c..1fb28f353168 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2388,7 +2388,7 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h, int charcount,
                rows = FBCON_SWAP(par->rotate, info->var.yres, info->var.xres);
                cols /= w;
                rows /= h;
-               if (!con_is_visible(vc)) {
+               if (IS_ENABLED(CONFIG_FRAMEBUFFER_CONSOLE_ROTATION) && !con_is_visible(vc)) {
                        ret = fbcon_rotate_font(info, vc);

Helge