From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Fullway Wang <fullwaywang@outlook.com>,
Helge Deller <deller@gmx.de>, Sasha Levin <sashal@kernel.org>,
adaplas@gmail.com, linux-fbdev@vger.kernel.org,
dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 5.10 3/8] fbdev: savage: Error out if pixclock equals zero
Date: Fri, 2 Feb 2024 13:41:47 -0500 [thread overview]
Message-ID: <20240202184156.541981-3-sashal@kernel.org> (raw)
In-Reply-To: <20240202184156.541981-1-sashal@kernel.org>
From: Fullway Wang <fullwaywang@outlook.com>
[ Upstream commit 04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288 ]
The userspace program could pass any values to the driver through
ioctl() interface. If the driver doesn't check the value of pixclock,
it may cause divide-by-zero error.
Although pixclock is checked in savagefb_decode_var(), but it is not
checked properly in savagefb_probe(). Fix this by checking whether
pixclock is zero in the function savagefb_check_var() before
info->var.pixclock is used as the divisor.
This is similar to CVE-2022-3061 in i740fb which was fixed by
commit 15cf0b8.
Signed-off-by: Fullway Wang <fullwaywang@outlook.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/savage/savagefb_driver.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/fbdev/savage/savagefb_driver.c b/drivers/video/fbdev/savage/savagefb_driver.c
index 0ac750cc5ea1..94ebd8af50cf 100644
--- a/drivers/video/fbdev/savage/savagefb_driver.c
+++ b/drivers/video/fbdev/savage/savagefb_driver.c
@@ -868,6 +868,9 @@ static int savagefb_check_var(struct fb_var_screeninfo *var,
DBG("savagefb_check_var");
+ if (!var->pixclock)
+ return -EINVAL;
+
var->transp.offset = 0;
var->transp.length = 0;
switch (var->bits_per_pixel) {
--
2.43.0
next prev parent reply other threads:[~2024-02-02 18:42 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-02 18:41 [PATCH AUTOSEL 5.10 1/8] wifi: cfg80211: fix missing interfaces when dumping Sasha Levin
2024-02-02 18:41 ` [PATCH AUTOSEL 5.10 2/8] wifi: mac80211: fix race condition on enabling fast-xmit Sasha Levin
2024-02-02 18:41 ` Sasha Levin [this message]
2024-02-02 18:41 ` [PATCH AUTOSEL 5.10 4/8] fbdev: sis: Error out if pixclock equals zero Sasha Levin
2024-02-02 18:41 ` [PATCH AUTOSEL 5.10 5/8] spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected Sasha Levin
2024-02-02 18:41 ` [PATCH AUTOSEL 5.10 6/8] ahci: asm1166: correct count of reported ports Sasha Levin
2024-02-02 18:41 ` [PATCH AUTOSEL 5.10 7/8] exec: Distinguish in_execve from in_exec Sasha Levin
2024-02-18 19:12 ` Pavel Machek
2024-02-22 12:36 ` Sasha Levin
2024-02-02 18:41 ` [PATCH AUTOSEL 5.10 8/8] ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240202184156.541981-3-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=adaplas@gmail.com \
--cc=deller@gmx.de \
--cc=dri-devel@lists.freedesktop.org \
--cc=fullwaywang@outlook.com \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.