Message ID | 20230307130856.2295182-1-harperchen1110@gmail.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp2433468wrd; Tue, 7 Mar 2023 05:38:50 -0800 (PST) X-Google-Smtp-Source: AK7set8+9h1suojM+Le+d8eMQc/N3ql/h2mcRmtwkibzW54Qkyh51A7nepyWgvdhLy7EjaW+YN7P X-Received: by 2002:a17:906:1405:b0:870:baa6:6762 with SMTP id p5-20020a170906140500b00870baa66762mr14797306ejc.14.1678196330507; Tue, 07 Mar 2023 05:38:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1678196330; cv=none; d=google.com; s=arc-20160816; b=tvohMFRWoxbj+MW2AWMtSx/uEaMNjOnjIt4aYNBwGiL3bac2CMi7gmPSq2aWjSDf0B 73vT/ZhegwPoVSYQ63xLrG4okQuOzsWWB7IL5imVXdMCZHWT3+OTHZ38I4o2AAMGORzn 6tAdXlVxhjzkfJqtEbHngvLjYFE+Jmbsvm+FikMFDABqpNBx0KimzClMfGkkQ+CfShQP 9WHrKqfml3ZJjLC9zg3x6NiEIVpjS/kTft4e1nkO8CL6+2jrK/UPZkY55ClIZ5/X7gqH 3Q2pFiYZlmW8Tl2ONhnGQSUSt8LQNBpJu62wUjuGHoDNOCJoVjrXk7ynVH3qvaLvHcoH LI4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=KDSasO/7mKvPMuHhaJ5dSUZlltLYrJQeoPhaTJiDZfs=; b=CUg/bdv9lzBulucwtKqz9hVfBZ/vCzgMI4Rb2f+bUMVfwdELAYUrjHMr8bLmjEQH39 9slbBdlr7KcF/zN6JMaLIYgWGDjpfK+CmOQDUHSquyMwvlXQKFCxeodUsdzc+C31fFj6 noRURGnSNIs/+gnuTnAxnFXxJj1vCV9PntoxNZN9pPWz7B89YwIA8V7FPLcXB27neDaj 8jzaqzvVeCRs29RXr5ZUqrW4bOwgRd9Mo4kwstolJptDWos2EqM+XzyhnYw792i30Y4z QhdZJf0tkvzlo6F1dax7rn0/DsfNrFRagWe3U1aNkBJfBOyupt/vLQqDPWpbu73Z4AOa 3jOA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=bmSSIW9K; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p24-20020a17090635d800b008c6c0bd2af4si11630491ejb.528.2023.03.07.05.38.26; Tue, 07 Mar 2023 05:38:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=bmSSIW9K; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230224AbjCGNLr (ORCPT <rfc822;toshivichauhan@gmail.com> + 99 others); Tue, 7 Mar 2023 08:11:47 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50602 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230232AbjCGNLY (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Tue, 7 Mar 2023 08:11:24 -0500 Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 90DD37695; Tue, 7 Mar 2023 05:10:00 -0800 (PST) Received: by mail-pl1-x62a.google.com with SMTP id u5so13943538plq.7; Tue, 07 Mar 2023 05:10:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678194542; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=KDSasO/7mKvPMuHhaJ5dSUZlltLYrJQeoPhaTJiDZfs=; b=bmSSIW9KtOuI5eNLrnjoEZACB3ezrROssS5D2oU29FxEC+Rq/PHZCCckVcDHs3bLPK m8ZKz6PCvzZlRkhAIpwYYkr2wdRk0Ni6V3SMiz434xU0AzLdLP6FlI5F3Kz91p7Xqay1 sFtr39ki8xM3n7OsY0BEmvQcdmIThIo0InXm6Vj5sSBisBybeBB1cdYhy6TL+jT1jgIO 4BYIAIDC/QXhMxtIIrEECSZZK87cS4q8YNJFOqbqtgn54SbIYBkJD2c8bzStIKMiAIpF NMlFx9AH8ZWf/7ARyOcvmzmbcEyGI7RZ4KQ8VKGxZOmyLxtNwZs3pwr8fPUT7jmhXz2s x6Qg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678194542; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KDSasO/7mKvPMuHhaJ5dSUZlltLYrJQeoPhaTJiDZfs=; b=jp4uuS8+kGnKPo1dyLzq/5/737KOIIBlMBBmixH4pVjcme3uvMa5wlvxqlWeGHsduo LZbiHF2Ktn9LrTYCIJ2rU8jKaAdpQvhIXYiS799v53QzHbPrH6P0AGfiLJ1hhQFTRJyi Q/sHRtOlXT9uiV9ipCIE65aBKXXQwyp1S3C4mnFajrwWCpSOcJJU9YeB0mMFoa3DmVSV eRpvUqi1L6k3xsaURbtez4hhuFryThFZoGQc+rbGIk0QI84wU1NHPKP1Y5O84CxG7b7I 2w8EonCJKTA+TAyXaZhFVjaLGQKBR66hFH/C68MpghzsgrIQhjOcBD3ezmEBsr9Dgnn2 fUxw== X-Gm-Message-State: AO0yUKUE30HC4XKaCge7Y1zmUQWJfTo1VwYnwCt+YvuHKuDDFZxNAeir epCjWvmt7Ma8+v+I5fk0JcM= X-Received: by 2002:a17:903:22c1:b0:19e:ba2c:27ec with SMTP id y1-20020a17090322c100b0019eba2c27ecmr10944767plg.11.1678194542116; Tue, 07 Mar 2023 05:09:02 -0800 (PST) Received: from chcpu13.cse.ust.hk (191host119.mobilenet.cse.ust.hk. [143.89.191.119]) by smtp.gmail.com with ESMTPSA id y2-20020a170902ed4200b0019b0afc24e8sm8396190plb.250.2023.03.07.05.09.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 05:09:01 -0800 (PST) From: harperchen <harperchen1110@gmail.com> To: deller@gmx.de Cc: javierm@redhat.com, tzimmermann@suse.de, wsa+renesas@sang-engineering.com, linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, harperchen <harperchen1110@gmail.com> Subject: [PATCH] fbdev: tgafb: Fix potential divide by zero Date: Tue, 7 Mar 2023 13:08:56 +0000 Message-Id: <20230307130856.2295182-1-harperchen1110@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1759716394924702356?= X-GMAIL-MSGID: =?utf-8?q?1759716394924702356?= |
Series |
fbdev: tgafb: Fix potential divide by zero
|
|
Commit Message
Wei Chen
March 7, 2023, 1:08 p.m. UTC
fb_set_var would by called when user invokes ioctl with cmd
FBIOPUT_VSCREENINFO. User-provided data would finally reach
tgafb_check_var. In case var->pixclock is assigned to zero,
divide by zero would occur when checking whether reciprocal
of var->pixclock is too high.
Similar crashes have happened in other fbdev drivers. There
is no check and modification on var->pixclock along the call
chain to tgafb_check_var. We believe it could also be triggered
in driver tgafb from user site.
Signed-off-by: harperchen <harperchen1110@gmail.com>
---
drivers/video/fbdev/tgafb.c | 3 +++
1 file changed, 3 insertions(+)
Comments
On 3/7/23 14:08, harperchen wrote: > fb_set_var would by called when user invokes ioctl with cmd > FBIOPUT_VSCREENINFO. User-provided data would finally reach > tgafb_check_var. In case var->pixclock is assigned to zero, > divide by zero would occur when checking whether reciprocal > of var->pixclock is too high. > > Similar crashes have happened in other fbdev drivers. There > is no check and modification on var->pixclock along the call > chain to tgafb_check_var. We believe it could also be triggered > in driver tgafb from user site. > > Signed-off-by: harperchen <harperchen1110@gmail.com> Could you provide a real name? Otherwise applied to fbdev git tree. Thanks! Helge > --- > drivers/video/fbdev/tgafb.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/video/fbdev/tgafb.c b/drivers/video/fbdev/tgafb.c > index 14d37c49633c..b44004880f0d 100644 > --- a/drivers/video/fbdev/tgafb.c > +++ b/drivers/video/fbdev/tgafb.c > @@ -173,6 +173,9 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) > { > struct tga_par *par = (struct tga_par *)info->par; > > + if (!var->pixclock) > + return -EINVAL; > + > if (par->tga_type == TGA_TYPE_8PLANE) { > if (var->bits_per_pixel != 8) > return -EINVAL;
Dear Helge, Thank you for the kind words. My real name is Wei Chen. Please apply this patch to fbdev git tree if it is correct. Best, Wei On Thu, 9 Mar 2023 at 06:05, Helge Deller <deller@gmx.de> wrote: > > On 3/7/23 14:08, harperchen wrote: > > fb_set_var would by called when user invokes ioctl with cmd > > FBIOPUT_VSCREENINFO. User-provided data would finally reach > > tgafb_check_var. In case var->pixclock is assigned to zero, > > divide by zero would occur when checking whether reciprocal > > of var->pixclock is too high. > > > > Similar crashes have happened in other fbdev drivers. There > > is no check and modification on var->pixclock along the call > > chain to tgafb_check_var. We believe it could also be triggered > > in driver tgafb from user site. > > > > Signed-off-by: harperchen <harperchen1110@gmail.com> > > Could you provide a real name? > Otherwise applied to fbdev git tree. > > Thanks! > Helge > > > --- > > drivers/video/fbdev/tgafb.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/drivers/video/fbdev/tgafb.c b/drivers/video/fbdev/tgafb.c > > index 14d37c49633c..b44004880f0d 100644 > > --- a/drivers/video/fbdev/tgafb.c > > +++ b/drivers/video/fbdev/tgafb.c > > @@ -173,6 +173,9 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) > > { > > struct tga_par *par = (struct tga_par *)info->par; > > > > + if (!var->pixclock) > > + return -EINVAL; > > + > > if (par->tga_type == TGA_TYPE_8PLANE) { > > if (var->bits_per_pixel != 8) > > return -EINVAL; >
On Wed, 08 Mar 2023, Helge Deller <deller@gmx.de> wrote: > On 3/7/23 14:08, harperchen wrote: >> fb_set_var would by called when user invokes ioctl with cmd >> FBIOPUT_VSCREENINFO. User-provided data would finally reach >> tgafb_check_var. In case var->pixclock is assigned to zero, >> divide by zero would occur when checking whether reciprocal >> of var->pixclock is too high. >> >> Similar crashes have happened in other fbdev drivers. There >> is no check and modification on var->pixclock along the call >> chain to tgafb_check_var. We believe it could also be triggered >> in driver tgafb from user site. >> >> Signed-off-by: harperchen <harperchen1110@gmail.com> > > Could you provide a real name? > Otherwise applied to fbdev git tree. See commit d4563201f33a ("Documentation: simplify and clarify DCO contribution example language"). BR, Jani. > > Thanks! > Helge > >> --- >> drivers/video/fbdev/tgafb.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/drivers/video/fbdev/tgafb.c b/drivers/video/fbdev/tgafb.c >> index 14d37c49633c..b44004880f0d 100644 >> --- a/drivers/video/fbdev/tgafb.c >> +++ b/drivers/video/fbdev/tgafb.c >> @@ -173,6 +173,9 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) >> { >> struct tga_par *par = (struct tga_par *)info->par; >> >> + if (!var->pixclock) >> + return -EINVAL; >> + >> if (par->tga_type == TGA_TYPE_8PLANE) { >> if (var->bits_per_pixel != 8) >> return -EINVAL; >
On 3/9/23 08:53, Jani Nikula wrote: > On Wed, 08 Mar 2023, Helge Deller <deller@gmx.de> wrote: >> On 3/7/23 14:08, harperchen wrote: >>> fb_set_var would by called when user invokes ioctl with cmd >>> FBIOPUT_VSCREENINFO. User-provided data would finally reach >>> tgafb_check_var. In case var->pixclock is assigned to zero, >>> divide by zero would occur when checking whether reciprocal >>> of var->pixclock is too high. >>> >>> Similar crashes have happened in other fbdev drivers. There >>> is no check and modification on var->pixclock along the call >>> chain to tgafb_check_var. We believe it could also be triggered >>> in driver tgafb from user site. >>> >>> Signed-off-by: harperchen <harperchen1110@gmail.com> >> >> Could you provide a real name? >> Otherwise applied to fbdev git tree. > > See commit d4563201f33a ("Documentation: simplify and clarify DCO > contribution example language"). Nice. Thanks for that link! Btw, I did applied that patch yesterday to my tree with just the nickname, but of course I do prefer real names which is why I asked. Helge
diff --git a/drivers/video/fbdev/tgafb.c b/drivers/video/fbdev/tgafb.c index 14d37c49633c..b44004880f0d 100644 --- a/drivers/video/fbdev/tgafb.c +++ b/drivers/video/fbdev/tgafb.c @@ -173,6 +173,9 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) { struct tga_par *par = (struct tga_par *)info->par; + if (!var->pixclock) + return -EINVAL; + if (par->tga_type == TGA_TYPE_8PLANE) { if (var->bits_per_pixel != 8) return -EINVAL;