]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ec12068)
fbdev: fix potential buffer overflow in do_register_framebuffer()
authorYongzhen Zhang <zhangyongzhen@kylinos.cn>
Tue, 1 Jul 2025 09:07:04 +0000 (17:07 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 20 Aug 2025 16:30:40 +0000 (18:30 +0200)
[ Upstream commit 523b84dc7ccea9c4d79126d6ed1cf9033cf83b05 ]

The current implementation may lead to buffer overflow when:
1.  Unregistration creates NULL gaps in registered_fb[]
2.  All array slots become occupied despite num_registered_fb < FB_MAX
3.  The registration loop exceeds array bounds

Add boundary check to prevent registered_fb[FB_MAX] access.

Signed-off-by: Yongzhen Zhang <zhangyongzhen@kylinos.cn>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/video/fbdev/core/fbmem.c patch | blob | blame | history

diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index eca2498f243685dbf640d23b786d8dbc3c0577a2..6a033bf17ab6027d011281a1c155bf38bdb5eb3f 100644 (file)
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -403,6 +403,9 @@ static int do_register_framebuffer(struct fb_info *fb_info)
                if (!registered_fb[i])
                        break;
 
+       if (i >= FB_MAX)
+               return -ENXIO;
+
        if (!fb_info->modelist.prev || !fb_info->modelist.next)
                INIT_LIST_HEAD(&fb_info->modelist);
 
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git