From: Jani Nikula <jani.nikula@intel.com>
To: Denis Arefev <arefev@swemel.ru>, Helge Deller <deller@gmx.de>
Cc: Thomas Zimmermann <tzimmermann@suse.de>,
linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org
Subject: Re: [PATCH 1/1] fbdev: atyfb: Fix buffer overflow
Date: Thu, 27 Mar 2025 12:14:26 +0200 [thread overview]
Message-ID: <87pli26arh.fsf@intel.com> (raw)
In-Reply-To: <20250327100126.12585-2-arefev@swemel.ru>
On Thu, 27 Mar 2025, Denis Arefev <arefev@swemel.ru> wrote:
> The value LCD_MISC_CNTL is used in the 'aty_st_lcd()' function to
> calculate an index for accessing an array element of size 9.
> This may cause a buffer overflow.
The fix is to fix it, not silently brush it under the carpet.
BR,
Jani.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Denis Arefev <arefev@swemel.ru>
> ---
> drivers/video/fbdev/aty/atyfb_base.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
> index 210fd3ac18a4..93eb5eb6042b 100644
> --- a/drivers/video/fbdev/aty/atyfb_base.c
> +++ b/drivers/video/fbdev/aty/atyfb_base.c
> @@ -149,6 +149,8 @@ static const u32 lt_lcd_regs[] = {
> void aty_st_lcd(int index, u32 val, const struct atyfb_par *par)
> {
> if (M64_HAS(LT_LCD_REGS)) {
> + if ((u32)index >= ARRAY_SIZE(lt_lcd_regs))
> + return;
> aty_st_le32(lt_lcd_regs[index], val, par);
> } else {
> unsigned long temp;
> @@ -164,6 +166,8 @@ void aty_st_lcd(int index, u32 val, const struct atyfb_par *par)
> u32 aty_ld_lcd(int index, const struct atyfb_par *par)
> {
> if (M64_HAS(LT_LCD_REGS)) {
> + if ((u32)index >= ARRAY_SIZE(lt_lcd_regs))
> + return 0;
> return aty_ld_le32(lt_lcd_regs[index], par);
> } else {
> unsigned long temp;
--
Jani Nikula, Intel
next prev parent reply other threads:[~2025-03-27 10:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-27 10:01 [PATCH 0/1] fbdev: atyfb: Fix buffer overflow Denis Arefev
2025-03-27 10:01 ` [PATCH 1/1] " Denis Arefev
2025-03-27 10:14 ` Jani Nikula [this message]
2025-03-31 19:55 ` Ville Syrjälä
2025-04-01 8:40 ` Denis Arefev
2025-04-01 9:03 ` Helge Deller
2025-04-01 10:23 ` Denis Arefev
2025-04-01 16:26 ` Ville Syrjälä
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pli26arh.fsf@intel.com \
--to=jani.nikula@intel.com \
--cc=arefev@swemel.ru \
--cc=deller@gmx.de \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.