diff options
| author | Yongzhen Zhang <zhangyongzhen@kylinos.cn> | 2025-07-01 17:07:04 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-08-28 16:28:25 +0200 |
| commit | cbe740de32bb0fb7a5213731ff5f26ea6718fca3 (patch) | |
| tree | 24ec6f499a2c5f56b8ab9ac092921940577f46f9 /drivers/video | |
| parent | 6daa13c20190012eb7cfe4f205ef331b34122e39 (diff) | |
| download | linux-cbe740de32bb0fb7a5213731ff5f26ea6718fca3.tar.gz linux-cbe740de32bb0fb7a5213731ff5f26ea6718fca3.tar.bz2 linux-cbe740de32bb0fb7a5213731ff5f26ea6718fca3.zip | |
fbdev: fix potential buffer overflow in do_register_framebuffer()
[ Upstream commit 523b84dc7ccea9c4d79126d6ed1cf9033cf83b05 ]
The current implementation may lead to buffer overflow when:
1. Unregistration creates NULL gaps in registered_fb[]
2. All array slots become occupied despite num_registered_fb < FB_MAX
3. The registration loop exceeds array bounds
Add boundary check to prevent registered_fb[FB_MAX] access.
Signed-off-by: Yongzhen Zhang <zhangyongzhen@kylinos.cn>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/video')
| -rw-r--r-- | drivers/video/fbdev/core/fbmem.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 52bd3af54369..942b942f6bf9 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -943,6 +943,9 @@ static int do_register_framebuffer(struct fb_info *fb_info) if (!registered_fb[i]) break; + if (i >= FB_MAX) + return -ENXIO; + if (!fb_info->modelist.prev || !fb_info->modelist.next) INIT_LIST_HEAD(&fb_info->modelist); |