6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann tzimmermann@suse.de
commit 9b2f5ef00e852f8e8902a4d4f73aeedc60220c12 upstream.
Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font") introduced an out-of-bounds access by storing data and allocation sizes in the same variable. Restore the old size calculation and use the new variable 'alloc_size' for the allocation.
Signed-off-by: Thomas Zimmermann tzimmermann@suse.de Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font") Reported-by: Jani Nikula jani.nikula@linux.intel.com Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020 Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6201 Cc: Samasth Norway Ananda samasth.norway.ananda@oracle.com Cc: Thomas Zimmermann tzimmermann@suse.de Cc: George Kennedy george.kennedy@oracle.com Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Simona Vetter simona@ffwll.ch Cc: Helge Deller deller@gmx.de Cc: "Ville Syrjälä" ville.syrjala@linux.intel.com Cc: Sam Ravnborg sam@ravnborg.org Cc: Qianqiang Liu qianqiang.liu@163.com Cc: Shixiong Ou oushixiong@kylinos.cn Cc: Kees Cook kees@kernel.org Cc: stable@vger.kernel.org # v5.9+ Cc: Zsolt Kajtar soci@c64.rulez.org Reviewed-by: Lucas De Marchi lucas.demarchi@intel.com Reviewed-by: Qianqiang Liu qianqiang.liu@163.com Link: https://lore.kernel.org/r/20250922134619.257684-1-tzimmermann@suse.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/video/fbdev/core/fbcon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2492,7 +2492,7 @@ static int fbcon_set_font(struct vc_data unsigned charcount = font->charcount; int w = font->width; int h = font->height; - int size; + int size, alloc_size; int i, csum; u8 *new_data, *data = font->data; int pitch = PITCH(font->width); @@ -2525,10 +2525,10 @@ static int fbcon_set_font(struct vc_data return -EINVAL;
/* Check for overflow in allocation size calculation */ - if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size)) + if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &alloc_size)) return -EINVAL;
- new_data = kmalloc(size, GFP_USER); + new_data = kmalloc(alloc_size, GFP_USER);
if (!new_data) return -ENOMEM;