fbcon: fix integer overflow in fbcon_do_set_font

Fix integer overflow vulnerabilities in fbcon_do_set_font() where font
size calculations could overflow when handling user-controlled font
parameters.

The vulnerabilities occur when:
1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount
   multiplication with user-controlled values that can overflow.
2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
3. This results in smaller allocations than expected, leading to buffer
   overflows during font data copying.

Add explicit overflow checking using check_mul_overflow() and
check_add_overflow() kernel helpers to safety validate all size
calculations before allocation.

Signed-off-by: Samasth Norway Ananda <[email protected]>
Reviewed-by: Thomas Zimmermann <[email protected]>
Fixes: 39b3cffb8cf3 ("fbcon: prevent user font height or width change from causing potential out-of-bounds access")
Cc: George Kennedy <[email protected]>
Cc: stable <[email protected]>
Cc: [email protected]
Cc: Greg Kroah-Hartman <[email protected]>
Cc: Simona Vetter <[email protected]>
Cc: Helge Deller <[email protected]>
Cc: Thomas Zimmermann <[email protected]>
Cc: "Ville Syrjälä" <[email protected]>
Cc: Sam Ravnborg <[email protected]>
Cc: Qianqiang Liu <[email protected]>
Cc: Shixiong Ou <[email protected]>
Cc: Kees Cook <[email protected]>
Cc: <[email protected]> # v5.9+
Signed-off-by: Thomas Zimmermann <[email protected]>
Link: https://lore.kernel.org/r/[email protected]

0 files changed, 0 insertions, 0 deletions