refer to https://lore.kernel.org/all/20220706150253.2186-1-deller@xxxxxx/ 3 patches are provided to fix CVE-2021-3365 (When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds. https://nvd.nist.gov/vuln/detail/CVE-2021-33655) in mainline. But only commit 65a01e601dbb ("fbcon: Disallow setting font bigger than screen size") was backported to stable (4.19,4.14). without other two commit commit e64242caef18 ("fbcon: Prevent that screen size is smaller than font size") commit 6c11df58fd1a ("fbmem: Check virtual screen sizes in fb_set_var()") The problem still exists. static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long arg) fb_set_var(info, &var); fb_notifier_call_chain(evnt, &event); // evnt = FB_EVENT_MODE_CHANGE static int fbcon_event_notify(struct notifier_block *self, unsigned long action, void *data) fbcon_modechanged(info); updatescrollmode(p, info, vc); ... p->vrows = vyres/fh; if (yres > (fh * (vc->vc_rows + 1))) p->vrows -= (yres - (fh * vc->vc_rows)) / fh; if ((yres % fh) && (vyres % fh < yres % fh)) p->vrows--; [1] [1]: p->vrows could be -1, like what CVE-2021-3365 described. I think, the two commits should be backported to 4.19 and 4.14. Helge Deller (2): fbcon: Prevent that screen size is smaller than font size fbmem: Check virtual screen sizes in fb_set_var() drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++ drivers/video/fbdev/core/fbmem.c | 20 +++++++++++++++++--- include/linux/fbcon.h | 4 ++++ 3 files changed, 49 insertions(+), 3 deletions(-) -- 2.17.1
