fbdev: fix potential buffer overflow in do_register_framebuffer()

[ Upstream commit 523b84dc7ccea9c4d79126d6ed1cf9033cf83b05 ] The current implementation may lead to buffer overflow when: 1. Unregistration creates NULL gaps in registered_fb[] 2. All array slots become occupied despite num_registered_fb < FB_MAX 3. The registration loop exceeds array bounds Add boundary check to prevent registered_fb[FB_MAX] access. Signed-off-by: Yongzhen Zhang <zhangyongzhen@kylinos.cn> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Yongzhen Zhang <zhangyongzhen@kylinos.cn> 2025-07-01 17:07:04 +0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-08-20 18:30:40 +0200
commit: 806f85bdd3a60187c21437fc51baace11f659f35 (patch)
tree: 9e3a7ee1bc8fa938748d7ee0acde56f693074c77
parent: ec12068f10c1b8834e87e2bb195311d71dd0321f (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index eca2498f2436..6a033bf17ab6 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -403,6 +403,9 @@ static int do_register_framebuffer(struct fb_info *fb_info)
 		if (!registered_fb[i])
 			break;
 
+	if (i >= FB_MAX)
+		return -ENXIO;
+
 	if (!fb_info->modelist.prev || !fb_info->modelist.next)
 		INIT_LIST_HEAD(&fb_info->modelist);
author	Yongzhen Zhang <zhangyongzhen@kylinos.cn>	2025-07-01 17:07:04 +0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-08-20 18:30:40 +0200
commit	806f85bdd3a60187c21437fc51baace11f659f35 (patch)
tree	9e3a7ee1bc8fa938748d7ee0acde56f693074c77
parent	ec12068f10c1b8834e87e2bb195311d71dd0321f (diff)