summaryrefslogtreecommitdiff
path: root/kernel/fail_function.c
diff options
context:
space:
mode:
authorAlbin Babu Varghese <albinbabuvarghese20@gmail.com>2025-10-03 03:32:09 -0400
committerHelge Deller <deller@gmx.de>2025-10-04 02:41:29 +0200
commit3637d34b35b287ab830e66048841ace404382b67 (patch)
treedca64b58f442167ccb4bc188d7cf58a803fae9fb /kernel/fail_function.c
parentc8fee6a7c5cbde4908804aafc469391c22e72be9 (diff)
fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds
Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes. Reported-by: syzbot+48b0652a95834717f190@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=48b0652a95834717f190 Suggested-by: Helge Deller <deller@gmx.de> Tested-by: syzbot+48b0652a95834717f190@syzkaller.appspotmail.com Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Diffstat (limited to 'kernel/fail_function.c')
0 files changed, 0 insertions, 0 deletions