fbdev: fix potential buffer overflow in do_register_framebuffer()

The current implementation may lead to buffer overflow when: 1. Unregistration creates NULL gaps in registered_fb[] 2. All array slots become occupied despite num_registered_fb < FB_MAX 3. The registration loop exceeds array bounds Add boundary check to prevent registered_fb[FB_MAX] access. Signed-off-by: Yongzhen Zhang <zhangyongzhen@kylinos.cn> Signed-off-by: Helge Deller <deller@gmx.de>
author: Yongzhen Zhang <zhangyongzhen@kylinos.cn> 2025-07-01 17:07:04 +0800
committer: Helge Deller <deller@gmx.de> 2025-07-27 19:56:51 +0200
commit: 523b84dc7ccea9c4d79126d6ed1cf9033cf83b05 (patch)
tree: cd4cba59beb6f7c3e3ce479535b60ab26ff87e81
parent: ecdd7df997fd992f0ec70b788e3b12258008a2bf (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index dfcf5e4d1d4c..53f1719b1ae1 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -449,6 +449,9 @@ static int do_register_framebuffer(struct fb_info *fb_info)
 		if (!registered_fb[i])
 			break;
 
+	if (i >= FB_MAX)
+		return -ENXIO;
+
 	if (!fb_info->modelist.prev || !fb_info->modelist.next)
 		INIT_LIST_HEAD(&fb_info->modelist);
author	Yongzhen Zhang <zhangyongzhen@kylinos.cn>	2025-07-01 17:07:04 +0800
committer	Helge Deller <deller@gmx.de>	2025-07-27 19:56:51 +0200
commit	523b84dc7ccea9c4d79126d6ed1cf9033cf83b05 (patch)
tree	cd4cba59beb6f7c3e3ce479535b60ab26ff87e81
parent	ecdd7df997fd992f0ec70b788e3b12258008a2bf (diff)