From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bartlomiej Zolnierkiewicz Date: Thu, 09 Nov 2017 16:11:42 +0000 Subject: Re: [PATCH] fbdev: controlfb: Add missing modes to fix out of bounds access Message-Id: <3213289.UpBeyY0aCM@amdc3058> List-Id: References: <1510063505-2063-1-git-send-email-geert@linux-m68k.org> In-Reply-To: <1510063505-2063-1-git-send-email-geert@linux-m68k.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Geert Uytterhoeven Cc: Dan Carpenter , Benjamin Herrenschmidt , linux-fbdev@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org On Tuesday, November 07, 2017 03:05:05 PM Geert Uytterhoeven wrote: > Dan's static analysis says: > > drivers/video/fbdev/controlfb.c:560 control_setup() > error: buffer overflow 'control_mac_modes' 20 <= 21 > > Indeed, control_mac_modes[] has only 20 elements, while VMODE_MAX is 22, > which may lead to an out of bounds read when parsing vmode commandline > options. > > The bug was introduced in v2.4.5.6, when 2 new modes were added to > macmodes.h, but control_mac_modes[] wasn't updated: > > https://kernel.opensuse.org/cgit/kernel/diff/include/video/macmodes.h?h=v2.5.2&id)f279c764808560eaceb88fef36cbc35c529aad > > Augment control_mac_modes[] with the two new video modes to fix this. > > Reported-by: Dan Carpenter > Signed-off-by: Geert Uytterhoeven Patch queued for 4.15, thanks. Best regards, -- Bartlomiej Zolnierkiewicz Samsung R&D Institute Poland Samsung Electronics From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mailout1.samsung.com (mailout1.samsung.com [203.254.224.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 3yXp872K1dzDrKD for ; Fri, 10 Nov 2017 03:11:49 +1100 (AEDT) From: Bartlomiej Zolnierkiewicz To: Geert Uytterhoeven Cc: Dan Carpenter , Benjamin Herrenschmidt , linux-fbdev@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] fbdev: controlfb: Add missing modes to fix out of bounds access Date: Thu, 09 Nov 2017 17:11:42 +0100 Message-id: <3213289.UpBeyY0aCM@amdc3058> In-reply-to: <1510063505-2063-1-git-send-email-geert@linux-m68k.org> MIME-version: 1.0 Content-type: text/plain; charset="us-ascii" References: <1510063505-2063-1-git-send-email-geert@linux-m68k.org> List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Tuesday, November 07, 2017 03:05:05 PM Geert Uytterhoeven wrote: > Dan's static analysis says: > > drivers/video/fbdev/controlfb.c:560 control_setup() > error: buffer overflow 'control_mac_modes' 20 <= 21 > > Indeed, control_mac_modes[] has only 20 elements, while VMODE_MAX is 22, > which may lead to an out of bounds read when parsing vmode commandline > options. > > The bug was introduced in v2.4.5.6, when 2 new modes were added to > macmodes.h, but control_mac_modes[] wasn't updated: > > https://kernel.opensuse.org/cgit/kernel/diff/include/video/macmodes.h?h=v2.5.2&id=29f279c764808560eaceb88fef36cbc35c529aad > > Augment control_mac_modes[] with the two new video modes to fix this. > > Reported-by: Dan Carpenter > Signed-off-by: Geert Uytterhoeven Patch queued for 4.15, thanks. Best regards, -- Bartlomiej Zolnierkiewicz Samsung R&D Institute Poland Samsung Electronics