Commit 6735b463 authored by Peilin Ye's avatar Peilin Ye Committed by Daniel Vetter
Browse files

Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts 

syzbot has reported an issue in the framebuffer layer, where a malicious
user may overflow our built-in font data buffers.

In order to perform a reliable range check, subsystems need to know
`FONTDATAMAX` for each built-in font. Unfortunately, our font descriptor,
`struct console_font` does not contain `FONTDATAMAX`, and is part of the
UAPI, making it infeasible to modify it.

For user-provided fonts, the framebuffer layer resolves this issue by
reserving four extra words at the beginning of data buffers. Later,
whenever a function needs to access them, it simply uses the following
macros:

Recently we have gathered all the above macros to <linux/font.h>. Let us
do the same thing for built-in fonts, prepend four extra words (including
`FONTDATAMAX`) to their data buffers, so that subsystems can use these
macros for all fonts, no matter built-in or user-provided.

This patch depends on patch "fbdev, newport_con: Move FONT_EXTRA_WORDS
macros into linux/font.h".

Cc: stable@vger.kernel.org
Link: https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd


Signed-off-by: default avatarPeilin Ye <yepeilin.cs@gmail.com>
Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/ef18af00c35fb3cc826048a5f70924ed6ddce95b.1600953813.git.yepeilin.cs@gmail.com
parent bb0890b4

include/linux/font.h

+5 −0
Original line number Diff line number Diff line
@@ -67,4 +67,9 @@ extern const struct font_desc *get_default_font(int xres, int yres, 


#define FONT_EXTRA_WORDS 4



struct font_data {

	unsigned int extra[FONT_EXTRA_WORDS];

	const unsigned char data[];

} __packed;



#endif /* _VIDEO_FONT_H */

lib/fonts/font_10x18.c

+4 −5
Original line number Diff line number Diff line
@@ -8,8 +8,8 @@ 


#define FONTDATAMAX 9216



static const unsigned char fontdata_10x18[FONTDATAMAX] = {



static struct font_data fontdata_10x18 = {

	{ 0, 0, FONTDATAMAX, 0 }, {

	/* 0 0x00 '^@' */

	0x00, 0x00, /* 0000000000 */

	0x00, 0x00, /* 0000000000 */
@@ -5129,8 +5129,7 @@ static const unsigned char fontdata_10x18[FONTDATAMAX] = { 
	0x00, 0x00, /* 0000000000 */

	0x00, 0x00, /* 0000000000 */

	0x00, 0x00, /* 0000000000 */



};

} };





const struct font_desc font_10x18 = {
@@ -5138,7 +5137,7 @@ const struct font_desc font_10x18 = { 
	.name	= "10x18",

	.width	= 10,

	.height	= 18,

	.data	= fontdata_10x18,

	.data	= fontdata_10x18.data,

#ifdef __sparc__

	.pref	= 5,

#else

lib/fonts/font_6x10.c

+5 −4
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0

#include <linux/font.h>



static const unsigned char fontdata_6x10[] = {

#define FONTDATAMAX 2560



static struct font_data fontdata_6x10 = {

	{ 0, 0, FONTDATAMAX, 0 }, {

	/* 0 0x00 '^@' */

	0x00, /* 00000000 */

	0x00, /* 00000000 */
@@ -3074,14 +3076,13 @@ static const unsigned char fontdata_6x10[] = { 
	0x00, /* 00000000 */

	0x00, /* 00000000 */

	0x00, /* 00000000 */



};

} };



const struct font_desc font_6x10 = {

	.idx	= FONT6x10_IDX,

	.name	= "6x10",

	.width	= 6,

	.height	= 10,

	.data	= fontdata_6x10,

	.data	= fontdata_6x10.data,

	.pref	= 0,

};

lib/fonts/font_6x11.c

+4 −5
Original line number Diff line number Diff line
@@ -9,8 +9,8 @@ 


#define FONTDATAMAX (11*256)



static const unsigned char fontdata_6x11[FONTDATAMAX] = {



static struct font_data fontdata_6x11 = {

	{ 0, 0, FONTDATAMAX, 0 }, {

	/* 0 0x00 '^@' */

	0x00, /* 00000000 */

	0x00, /* 00000000 */
@@ -3338,8 +3338,7 @@ static const unsigned char fontdata_6x11[FONTDATAMAX] = { 
	0x00, /* 00000000 */

	0x00, /* 00000000 */

	0x00, /* 00000000 */



};

} };





const struct font_desc font_vga_6x11 = {
@@ -3347,7 +3346,7 @@ const struct font_desc font_vga_6x11 = { 
	.name	= "ProFont6x11",

	.width	= 6,

	.height	= 11,

	.data	= fontdata_6x11,

	.data	= fontdata_6x11.data,

	/* Try avoiding this font if possible unless on MAC */

	.pref	= -2000,

};

lib/fonts/font_7x14.c

+4 −5
Original line number Diff line number Diff line
@@ -8,8 +8,8 @@ 


#define FONTDATAMAX 3584



static const unsigned char fontdata_7x14[FONTDATAMAX] = {



static struct font_data fontdata_7x14 = {

	{ 0, 0, FONTDATAMAX, 0 }, {

	/* 0 0x00 '^@' */

	0x00, /* 0000000 */

	0x00, /* 0000000 */
@@ -4105,8 +4105,7 @@ static const unsigned char fontdata_7x14[FONTDATAMAX] = { 
	0x00, /* 0000000 */

	0x00, /* 0000000 */

	0x00, /* 0000000 */



};

} };





const struct font_desc font_7x14 = {
@@ -4114,6 +4113,6 @@ const struct font_desc font_7x14 = { 
	.name	= "7x14",

	.width	= 7,

	.height	= 14,

	.data	= fontdata_7x14,

	.data	= fontdata_7x14.data,

	.pref	= 0,

};

CRA Git | Maintained and supported by SUSTech CRA and CCSE