Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)
From: Khalid Masum
Date: Sat Jul 30 2022 - 04:13:10 EST
Currently the if block's condition has an unhandled case, where the
result of ret might get greater than vc->vc_scr_end, and therefore
the corresponding handler in else block never gets executed. Which
eventually causes panic in fast_imageblit.
Add this extra check in the conditions to fix this breakage.
#syz-test: https://github.com/torvalds/linux.git e0dccc3b76fb
---
drivers/video/fbdev/core/fbcon.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 1a9aa12cf886..d026f3845b60 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2591,14 +2591,13 @@ static unsigned long fbcon_getxy(struct vc_data *vc, unsigned long pos,
{
unsigned long ret;
int x, y;
+ unsigned long offset = (pos - vc->vc_origin) / 2;
+ x = offset % vc->vc_cols;
+ y = offset / vc->vc_cols;
+ ret = pos + (vc->vc_cols - x) * 2;
- if (pos >= vc->vc_origin && pos < vc->vc_scr_end) {
- unsigned long offset = (pos - vc->vc_origin) / 2;
-
- x = offset % vc->vc_cols;
- y = offset / vc->vc_cols;
- ret = pos + (vc->vc_cols - x) * 2;
- } else {
+ if (!pos >= vc->vc_origin || !pos < vc->vc_scr_end ||
+ !ret < vc->vc_scr_end) {
/* Should not happen */
x = y = 0;
ret = vc->vc_origin;
--
2.36.1