git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Mingyu Wang <25181214217@stu.xidian.edu.cn>
	Thu, 25 Jun 2026 16:03:06 +0000 (00:03 +0800)
committer	Helge Deller <deller@gmx.de>
	Thu, 25 Jun 2026 16:15:48 +0000 (18:15 +0200)
commit	8fdc8c2057eea08d40ce2c8eed41ff9e451c65c2
tree	f155d6d13c184a4fb8f1ff3a927e90035b350b83	tree \| snapshot
parent	16eb19f0c90af03bda6ba66586d7bb0e9cf85b43	commit \| diff

fbdev: fbcon: fix out-of-bounds read in err_out of fbcon_do_set_font()

When fbcon_do_set_font() fails (e.g., due to a memory allocation failure
inside vc_resize() under heavy memory pressure), it jumps to the `err_out`
label to roll back the console state. However, the current rollback logic
forgets to restore the `hi_font` state, leading to a severe state machine
corruption.

Earlier in the function, `set_vc_hi_font()` might be called to change
`vc->vc_hi_font_mask` and mutate the screen buffer. If `vc_resize()`
subsequently fails, the `err_out` path restores `vc_font.charcount`
but entirely skips rolling back the `vc_hi_font_mask` and the screen
buffer.

This mismatch leaves the terminal in a desynchronized state. Because
`vc_hi_font_mask` remains set, the VT subsystem will still accept
character indices greater than 255 from userspace and write them to the
screen buffer. Subsequent rendering calls (e.g., `fbcon_putcs()`) will
then use these inflated indices to access the reverted, 256-character
font array, leading to a deterministic out-of-bounds read and potential
kernel memory disclosure.

Fix this by adding the missing rollback logic for the `hi_font` mask
and screen buffer in the error path.

Fixes: a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed")
Cc: stable@vger.kernel.org
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Helge Deller <deller@gmx.de>