Patch "fbcon: Fix a NULL pointer dereference issue in fbcon_putcs" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 11 Oct 2024 15:41:24 -0400

This is a note to let you know that I've just added the patch titled

    fbcon: Fix a NULL pointer dereference issue in fbcon_putcs

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     fbcon-fix-a-null-pointer-dereference-issue-in-fbcon_.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit b6632a8851dc5530a2fd75608ee2581412d14631
Author: Qianqiang Liu <qianqiang.liu@xxxxxxx>
Date:   Wed Sep 25 13:29:36 2024 +0800

    fbcon: Fix a NULL pointer dereference issue in fbcon_putcs
    
    [ Upstream commit 5b97eebcce1b4f3f07a71f635d6aa3af96c236e7 ]
    
    syzbot has found a NULL pointer dereference bug in fbcon.
    Here is the simplified C reproducer:
    
    struct param {
            uint8_t type;
            struct tiocl_selection ts;
    };
    
    int main()
    {
            struct fb_con2fbmap con2fb;
            struct param param;
    
            int fd = open("/dev/fb1", 0, 0);
    
            con2fb.console = 0x19;
            con2fb.framebuffer = 0;
            ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);
    
            param.type = 2;
            param.ts.xs = 0; param.ts.ys = 0;
            param.ts.xe = 0; param.ts.ye = 0;
            param.ts.sel_mode = 0;
    
            int fd1 = open("/dev/tty1", O_RDWR, 0);
            ioctl(fd1, TIOCLINUX, &param);
    
            con2fb.console = 1;
            con2fb.framebuffer = 0;
            ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);
    
            return 0;
    }
    
    After calling ioctl(fd1, TIOCLINUX, &param), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb)
    causes the kernel to follow a different execution path:
    
     set_con2fb_map
      -> con2fb_init_display
       -> fbcon_set_disp
        -> redraw_screen
         -> hide_cursor
          -> clear_selection
           -> highlight
            -> invert_screen
             -> do_update_region
              -> fbcon_putcs
               -> ops->putcs
    
    Since ops->putcs is a NULL pointer, this leads to a kernel panic.
    To prevent this, we need to call set_blitting_type() within set_con2fb_map()
    to properly initialize ops->putcs.
    
    Reported-by: syzbot+3d613ae53c031502687a@xxxxxxxxxxxxxxxxxxxxxxxxx
    Closes: https://syzkaller.appspot.com/bug?extid=3d613ae53c031502687a
    Tested-by: syzbot+3d613ae53c031502687a@xxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Qianqiang Liu <qianqiang.liu@xxxxxxx>
    Signed-off-by: Helge Deller <deller@xxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 24035b4f2cd70..405d587450ef8 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -847,6 +847,8 @@ static int set_con2fb_map(int unit, int newidx, int user)
 			return err;
 
 		fbcon_add_cursor_work(info);
+	} else if (vc) {
+		set_blitting_type(vc, info);
 	}
 
 	con2fb_map[unit] = newidx;







