diff mbox series

[SRU,Bionic,3/3] fbmem: Check virtual screen sizes in fb_set_var()

Message ID 20220805155434.243360-4-cengiz.can@canonical.com
State New
Headers show
Series CVE-2021-33655 | expand

Commit Message

Cengiz Can Aug. 5, 2022, 3:54 p.m. UTC
From: Helge Deller <deller@gmx.de>

commit 6c11df58fd1ac0aefcb3b227f72769272b939e56 upstream

Verify that the fbdev or drm driver correctly adjusted the virtual
screen sizes. On failure report the failing driver and reject the screen
size change.

Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
[Chen Jun: adjust context]
Signed-off-by: Chen Jun <chenjun102@huawei.com>
Link: https://lore.kernel.org/all/20220804122734.121201-4-chenjun102@huawei.com/
CVE-2021-33655
(backported from commit 6c11df58fd1ac0aefcb3b227f72769272b939e56)
[cengizcan: fix was not backported to <5.4 but there's a patchset
targeting 4.14 under review. this is based on that.]
Signed-off-by: Cengiz Can <cengiz.can@canonical.com>
---
 drivers/video/fbdev/core/fbmem.c | 10 ++++++++++
 1 file changed, 10 insertions(+)
diff mbox series

Patch

diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 264e8ca5efa7d..1238cc9f42c03 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1019,6 +1019,16 @@  fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var)
 		if (ret)
 			goto done;
 
+		/* verify that virtual resolution >= physical resolution */
+		if (var->xres_virtual < var->xres ||
+		    var->yres_virtual < var->yres) {
+			pr_warn("WARNING: fbcon: Driver '%s' missed to adjust virtual screen size (%ux%u vs. %ux%u)\n",
+				info->fix.id,
+				var->xres_virtual, var->yres_virtual,
+				var->xres, var->yres);
+			return -EINVAL;
+		}
+
 		if ((var->activate & FB_ACTIVATE_MASK) == FB_ACTIVATE_NOW) {
 			struct fb_var_screeninfo old_var;
 			struct fb_videomode mode;