[PATCH] tty: vt: Fix slab-out-of-bounds write in do_con_write

Next message: Deepanshu Kartikey: "[PATCH] fs/namespace: fix double hlist_del_init of mnt_mp_list in get_detached_copy()"
Previous message: syzbot: "Re: [syzbot] [fs?] general protection fault in __umount_mnt"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH] tty: vt: Fix slab-out-of-bounds write in do_con_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: yuhaocheng035

Date: Sat Mar 21 2026 - 02:24:12 EST

From: Haocheng Yu <yuhaocheng035@xxxxxxxxx>

A KASAN: slab-out-of-bounds Write in do_con_write issue is reported by
a modified Syzkaller-based kernel fuzzing tool that we developed. The
report indicates the problem lies in vc_con_write_normal
drivers/tty/vt/vt.c:3141(scr_writew(tc, (u16*)vc->vc_pos)), which writes
2 bytes to the right of the allocated region at 2634 bytes.

Since it did not provide any repro program or enough information,
the cause remains unclear. However, adding a validity check of vc->vc_pos
before scr_writew should avoid this issue.

Signed-off-by: Haocheng Yu <yuhaocheng035@xxxxxxxxx>
---
drivers/tty/vt/vt.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 6e0089b85c27..95d860f09837 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -3138,6 +3138,13 @@ static int vc_con_write_normal(struct vc_data *vc, int tc, int c,
(tc & 0xff);
tc |= (vc_attr << 8) & ~himask;

+ unsigned long end = vc->vc_origin + vc->vc_screenbuf_size;
+
+ if (WARN_ON_ONCE(vc->vc_screenbuf_size < 2 ||
+ end < vc->vc_origin ||
+ vc->vc_pos < vc->vc_origin ||
+ vc->vc_pos > end - 2))
+ return -1;
+
scr_writew(tc, (u16 *)vc->vc_pos);

if (con_should_update(vc) && draw->x < 0) {

base-commit: 7d0a66e4bb9081d75c82ec4957c50034cb0ea449
--
2.51.0