From patchwork Fri Aug  5 10:09:44 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cengiz Can <cengiz.can@canonical.com>
X-Patchwork-Id: 1664009
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=TK7ANlLm;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4LzhDb0W7gz9s1l
	for <incoming@patchwork.ozlabs.org>; Fri,  5 Aug 2022 20:10:23 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1oJuHW-0000Hp-9C; Fri, 05 Aug 2022 10:10:14 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <cengiz.can@canonical.com>) id 1oJuHU-0000G6-6z
 for kernel-team@lists.ubuntu.com; Fri, 05 Aug 2022 10:10:12 +0000
Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com
 [209.85.221.69])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 475FB3F132
 for <kernel-team@lists.ubuntu.com>; Fri,  5 Aug 2022 10:10:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1659694211;
 bh=qXg2eJC+2MZ3o7a6QS601q8uHjvVXbIzZVQoOkvBukc=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=TK7ANlLmKx8rJ0p0xXAMUT4fp5WsoSHEmYMQie201ZkgGuLUDwic1EzhxOQWgJ2lW
 UC15faQAlfgVhs01Cflak+MRNbzu9mkYSjeYxFBGU4IholT7KmXLbYThTBYqhW6sDG
 Fo2TPMmJgbFCsyPNVbChTUyVs9W/cjc8HxawjNYPltR3kGq9pkZqlHxfj/gC9T4jIY
 ocnnC1Oz1OTWZtcEo/m+hUODtEV088FJWMHn0sjHrWGoBoSeKQbUPWXEksZn85F3T1
 0PzvqSMg7bxgMwxwzAAUkWwXg2hF417txthUI18MEcREh5hptgJpO/+Pl3o8ONUuIe
 fbdSqVVvKbn5g==
Received: by mail-wr1-f69.google.com with SMTP id
 d6-20020adfa346000000b002206e4c29caso357955wrb.8
 for <kernel-team@lists.ubuntu.com>; Fri, 05 Aug 2022 03:10:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc;
 bh=qXg2eJC+2MZ3o7a6QS601q8uHjvVXbIzZVQoOkvBukc=;
 b=agymFK1YFxkX6sG83AixqZe9bhBRrQv8/YermZw6dhlQh4E7A1yzylBS4ewa+e/nHJ
 yZj4UrkyYgPAusXXQ4uIlVUO9gPcwiJfe4ELq+lEnvzJCZknaKbPXlElu/sIeOhx4k37
 bi27bwaRd/ycORenSQ5HT1F5F9hcuR6+EWGxk8ud9xm8BT0tJnX9BF6aT9RCgWMrxqU1
 Fs5DqKFIv/OadIDR+lEp63FU7tQooqboqK91HDs/YafM9vZUeMfY+XlrDtLRHkMnVM3I
 1DIzpX5xO5i7ZZ/6v0dRUcZIpoVYB3p2xWYxEG5YqRODFGzA/bnCH3q1DOx85ruzDiJO
 Vf2w==
X-Gm-Message-State: ACgBeo0BPJ7ht+MLV+Uzk8l3zSFIFNqNwHbie2Lyn4DKi0l8RGQVOPSC
 J0cy5Tb4GoCgqvwK32F6KwewtXLyROIX6a0SH54ohIl49bhRxWChDY/URl+x2IP9JNWoaReCjvl
 LbL6ZETeiWX6jVlHImyHYBkY7SbjwwjP6uPz7hufGcw==
X-Received: by 2002:a5d:5f06:0:b0:220:5a9b:578f with SMTP id
 cl6-20020a5d5f06000000b002205a9b578fmr3587559wrb.545.1659694210706;
 Fri, 05 Aug 2022 03:10:10 -0700 (PDT)
X-Google-Smtp-Source: 
 AA6agR5mTqtuMCy2L/g8YjQAeUZlsQ0tnHObdvN414Ase9ihHeGOFNw9VZ1hsnsANwnMOMTGSSwCbQ==
X-Received: by 2002:a5d:5f06:0:b0:220:5a9b:578f with SMTP id
 cl6-20020a5d5f06000000b002205a9b578fmr3587546wrb.545.1659694210501;
 Fri, 05 Aug 2022 03:10:10 -0700 (PDT)
Received: from localhost ([2001:67c:1560:8007::aac:c03c])
 by smtp.gmail.com with ESMTPSA id
 c16-20020adffb50000000b002205c907474sm3437474wrs.107.2022.08.05.03.10.09
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 05 Aug 2022 03:10:09 -0700 (PDT)
From: Cengiz Can <cengiz.can@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU OEM-5.14 PATCH 1/3] fbcon: Disallow setting font bigger than
 screen size
Date: Fri,  5 Aug 2022 13:09:44 +0300
Message-Id: <20220805100952.193179-5-cengiz.can@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20220805100952.193179-1-cengiz.can@canonical.com>
References: <20220805100952.193179-1-cengiz.can@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Helge Deller <deller@gmx.de>

Prevent that users set a font size which is bigger than the physical screen.
It's unlikely this may happen (because screens are usually much larger than the
fonts and each font char is limited to 32x32 pixels), but it may happen on
smaller screens/LCD displays.

Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: stable@vger.kernel.org # v4.14+
CVE-2021-33655
(cherry picked from commit 65a01e601dbba8b7a51a2677811f70f783766682)
Signed-off-by: Cengiz Can <cengiz.can@canonical.com>
---
 drivers/video/fbdev/core/fbcon.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index a25b63b56223f..0710c5ec1014f 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2480,6 +2480,11 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font,
 	if (charcount != 256 && charcount != 512)
 		return -EINVAL;
 
+	/* font bigger than screen resolution ? */
+	if (w > FBCON_SWAP(info->var.rotate, info->var.xres, info->var.yres) ||
+	    h > FBCON_SWAP(info->var.rotate, info->var.yres, info->var.xres))
+		return -EINVAL;
+
 	/* Make sure drawing engine can handle the font */
 	if (!(info->pixmap.blit_x & (1 << (font->width - 1))) ||
 	    !(info->pixmap.blit_y & (1 << (font->height - 1))))