Re: [RFC PATCH] fbcon: Fix out-of-bounds memory in fbcon_putcs

[Thomas Zimmermann]

Hi

Am 04.03.26 um 04:47 schrieb chenjun (AM):
> 在 2026/3/2 19:34, Thomas Zimmermann 写道:
> > Hi
> >
> > Am 02.03.26 um 12:24 schrieb chenjun (AM):
> > > 在 2026/3/2 18:19, Thomas Zimmermann 写道:
> > > > Am 27.02.26 um 15:43 schrieb Chen Jun:
> > > > > When a font is set on an invisible console, the screen will not update.
> > > > > However, the fontbuffer is not updated to match the new font dimensions.
> > > > >
> > > > > This inconsistency leads to out-of-bounds memory access when writing to
> > > > > the tty bound to fbcon, as demonstrated by the following KASAN report:
> > > > >
> > > > > BUG: KASAN: slab-out-of-bounds in fb_pad_aligned_buffer+0xdf/0x140
> > > > > Read of size 1 at addr ffff8881195a2280 by task a.out/971
> > > > > Call Trace:
> > > > >       <TASK>
> > > > >       fb_pad_aligned_buffer+0xdf/0x140
> > > > >       ud_putcs+0x88a/0xde0
> > > > >       fbcon_putcs+0x319/0x430
> > > > >       do_update_region+0x23c/0x3b0
> > > > >       do_con_write+0x225c/0x67f0
> > > > >       con_write+0xe/0x30
> > > > >       n_tty_write+0x4b5/0xff0
> > > > >       file_tty_write.isra.41+0x46c/0x880
> > > > >       vfs_write+0x868/0xd60
> > > > >       ksys_write+0xf2/0x1d0
> > > > >       do_syscall_64+0xfa/0x570
> > > > >
> > > > > Fix this by calling fbcon_rotate_font() if vc is invisible in
> > > > > fbcon_do_set_font().
> > > > >
> > > > > Signed-off-by: Chen Jun <chenjun102@xxxxxxxxxx>
> > > > Reviewed-by: Thomas Zimmermann <tzimmermann@xxxxxxx>
> > > Hi Thomas,
> > >
> > > Thanks for your review.
> > >
> > > I'm not familiar with the fbcon module. Is there a better way to fix this?
> > Not really, I think. The whole module first needs a redesign to be
> > easier to understand.
> >
> > Best regards
> > Thomas
> >
> > > > > ---
> > > > >       drivers/video/fbdev/core/fbcon.c | 5 +++++
> > > > >       1 file changed, 5 insertions(+)
> > > > >
> > > > > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> > > > > index 666261ae59d8..d76100188bee 100644
> > > > > --- a/drivers/video/fbdev/core/fbcon.c
> > > > > +++ b/drivers/video/fbdev/core/fbcon.c
> > > > > @@ -2444,6 +2444,11 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h, int charcount,
> > > > >       		rows = FBCON_SWAP(par->rotate, info->var.yres, info->var.xres);
> > > > >       		cols /= w;
> > > > >       		rows /= h;
> > > > > +		if (!con_is_visible(vc)) {
> > > > > +			ret = fbcon_rotate_font(info, vc);
> > > > > +			if (ret)
> > > > > +				goto err_out;
> > > > > +		}
> Hi Thomas and Helge,
>
> I apologize, but after reviewing the code, I believe there is a problem.
> The issue is that fbcon_do_set_font() updates members of
> info->fbcon_par, and the info are shared with other vc instances.

Than let's drop the patch for now.

My best idea to fix this is to move the rotated font out of fbcon_par. 
The unrotated font data is stored at [1]. The struct fbcon_display 
stores a vc's display settings. It might be possible to move the rotated 
data there as well. Tracked correctly, each vc would have its own 
rotated font. BUT this might also have other side effects.

Best regards
Thomas

[1] 
https://elixir.bootlin.com/linux/v6.19.3/source/drivers/video/fbdev/core/fbcon.h#L28

> Best regards
> Chen Jun
>
> > > > >       		ret = vc_resize(vc, cols, rows);
> > > > >       		if (ret)
> > > > >       			goto err_out;

--
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com
GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)