{"id":"CVE-2023-54116","summary":"drm/fbdev-generic: prohibit potential out-of-bounds access","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/fbdev-generic: prohibit potential out-of-bounds access\n\nThe fbdev test of IGT may write after EOF, which lead to out-of-bound\naccess for drm drivers with fbdev-generic. For example, run fbdev test\non a x86+ast2400 platform, with 1680x1050 resolution, will cause the\nlinux kernel hang with the following call trace:\n\n  Oops: 0000 [#1] PREEMPT SMP PTI\n  [IGT] fbdev: starting subtest eof\n  Workqueue: events drm_fb_helper_damage_work [drm_kms_helper]\n  [IGT] fbdev: starting subtest nullptr\n\n  RIP: 0010:memcpy_erms+0xa/0x20\n  RSP: 0018:ffffa17d40167d98 EFLAGS: 00010246\n  RAX: ffffa17d4eb7fa80 RBX: ffffa17d40e0aa80 RCX: 00000000000014c0\n  RDX: 0000000000001a40 RSI: ffffa17d40e0b000 RDI: ffffa17d4eb80000\n  RBP: ffffa17d40167e20 R08: 0000000000000000 R09: ffff89522ecff8c0\n  R10: ffffa17d4e4c5000 R11: 0000000000000000 R12: ffffa17d4eb7fa80\n  R13: 0000000000001a40 R14: 000000000000041a R15: ffffa17d40167e30\n  FS:  0000000000000000(0000) GS:ffff895257380000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: ffffa17d40e0b000 CR3: 00000001eaeca006 CR4: 00000000001706e0\n  Call Trace:\n   \u003cTASK\u003e\n   ? drm_fbdev_generic_helper_fb_dirty+0x207/0x330 [drm_kms_helper]\n   drm_fb_helper_damage_work+0x8f/0x170 [drm_kms_helper]\n   process_one_work+0x21f/0x430\n   worker_thread+0x4e/0x3c0\n   ? __pfx_worker_thread+0x10/0x10\n   kthread+0xf4/0x120\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x2c/0x50\n   \u003c/TASK\u003e\n  CR2: ffffa17d40e0b000\n  ---[ end trace 0000000000000000 ]---\n\nThe is because damage rectangles computed by\ndrm_fb_helper_memory_range_to_clip() function is not guaranteed to be\nbound in the screen's active display area. Possible reasons are:\n\n1) Buffers are allocated in the granularity of page size, for mmap system\n   call support. The shadow screen buffer consumed by fbdev emulation may\n   also choosed be page size aligned.\n\n2) The DIV_ROUND_UP() used in drm_fb_helper_memory_range_to_clip()\n   will introduce off-by-one error.\n\nFor example, on a 16KB page size system, in order to store a 1920x1080\nXRGB framebuffer, we need allocate 507 pages. Unfortunately, the size\n1920*1080*4 can not be divided exactly by 16KB.\n\n 1920 * 1080 * 4 = 8294400 bytes\n 506 * 16 * 1024 = 8290304 bytes\n 507 * 16 * 1024 = 8306688 bytes\n\n line_length = 1920*4 = 7680 bytes\n\n 507 * 16 * 1024 / 7680 = 1081.6\n\n off / line_length = 507 * 16 * 1024 / 7680 = 1081\n DIV_ROUND_UP(507 * 16 * 1024, 7680) will yeild 1082\n\nmemcpy_toio() typically issue the copy line by line, when copy the last\nline, out-of-bound access will be happen. Because:\n\n 1082 * line_length = 1082 * 7680 = 8309760, and 8309760 \u003e 8306688\n\nNote that userspace may still write to the invisiable area if a larger\nbuffer than width x stride is exposed. But it is not a big issue as\nlong as there still have memory resolve the access if not drafting so\nfar.\n\n - Also limit the y1 (Daniel)\n - keep fix patch it to minimal (Daniel)\n - screen_size is page size aligned because of it need mmap (Thomas)\n - Adding fixes tag (Thomas)","modified":"2026-04-02T09:45:35.934208Z","published":"2025-12-24T13:06:37.591Z","related":["SUSE-SU-2026:0263-1","SUSE-SU-2026:0317-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54116.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/251653fa974ea551a15d16cacfed7cde68cc7f87"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c8687694bb1f5c48134f152f8c5c2e53483eb99d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/efd2821b8abeccb6b51423002e2a62921481a26e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54116.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54116"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"aa15c677cc34e626789cb65b8e7375180851c03b"},{"fixed":"efd2821b8abeccb6b51423002e2a62921481a26e"},{"fixed":"251653fa974ea551a15d16cacfed7cde68cc7f87"},{"fixed":"c8687694bb1f5c48134f152f8c5c2e53483eb99d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54116.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.18.0"},{"fixed":"6.1.30"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.3.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54116.json"}}],"schema_version":"1.7.5"}