> On Thu, Sep 24, 2020 at 09:38:22AM -0400, Peilin Ye wrote: > > Hi all, > > > > syzbot has reported [1] a global out-of-bounds read issue in > > fbcon_get_font(). A malicious user may resize `vc_font.height` to a large > > value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in > > font data buffers, declared in lib/fonts/font_*.c: ... > > (drivers/video/fbdev/core/fbcon.c) > > if (font->width <= 8) { > > j = vc->vc_font.height; > > + if (font->charcount * j > FNTSIZE(fontdata)) > > + return -EINVAL; Can that still go wrong because the multiply wraps? David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales) _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/dri-devel