refer to https://lore.kernel.org/all/20220706150253.2186-1-deller@xxxxxx/ 3 patches are provided to fix CVE-2021-33655 (When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds. https://nvd.nist.gov/vuln/detail/CVE-2021-33655) in mainline. The problem exists in 4.9 static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long arg) fb_set_var(info, &var); fb_notifier_call_chain(evnt, &event); // evnt = FB_EVENT_MODE_CHANGE static int fbcon_event_notify(struct notifier_block *self, unsigned long action, void *data) fbcon_modechanged(info); updatescrollmode(p, info, vc); ... p->vrows = vyres/fh; if (yres > (fh * (vc->vc_rows + 1))) p->vrows -= (yres - (fh * vc->vc_rows)) / fh; if ((yres % fh) && (vyres % fh < yres % fh)) p->vrows--; [1] [1]: p->vrows could be -1, like what CVE-2021-33655 described. To fix it, backport the three patches. d48de54a9dab ("printk: Export is_console_locked") should also be backported to avoid building failed if CONFIG_FB = m. Hans de Goede (1): printk: Export is_console_locked Helge Deller (3): fbmem: Check virtual screen sizes in fb_set_var() fbcon: Disallow setting font bigger than screen size fbcon: Prevent that screen size is smaller than font size drivers/video/console/fbcon.c | 33 ++++++++++++++++++++++++++++++++ drivers/video/fbdev/core/fbmem.c | 20 ++++++++++++++++--- include/linux/fbcon.h | 12 ++++++++++++ kernel/printk/printk.c | 1 + 4 files changed, 63 insertions(+), 3 deletions(-) create mode 100644 include/linux/fbcon.h -- 2.17.1
