From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00C97C07E95 for ; Mon, 19 Jul 2021 18:50:10 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 63A8D6113C for ; Mon, 19 Jul 2021 18:50:09 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 63A8D6113C Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ravnborg.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id E74CD89ACC; Mon, 19 Jul 2021 18:50:08 +0000 (UTC) Received: from mx1.smtp.larsendata.com (mx1.smtp.larsendata.com [91.221.196.215]) by gabe.freedesktop.org (Postfix) with ESMTPS id F3EA789ACC for ; Mon, 19 Jul 2021 18:50:07 +0000 (UTC) Received: from mail01.mxhotel.dk (mail01.mxhotel.dk [91.221.196.236]) by mx1.smtp.larsendata.com (Halon) with ESMTPS id 22b0a066-e8c2-11eb-9082-0050568c148b; Mon, 19 Jul 2021 18:50:06 +0000 (UTC) Received: from ravnborg.org (80-162-45-141-cable.dk.customer.tdc.net [80.162.45.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: sam@ravnborg.org) by mail01.mxhotel.dk (Postfix) with ESMTPSA id 29D99194B23; Mon, 19 Jul 2021 20:50:20 +0200 (CEST) Date: Mon, 19 Jul 2021 20:50:03 +0200 X-Report-Abuse-To: abuse@mxhotel.dk From: Sam Ravnborg To: Zheyu Ma Subject: Re: [PATCH v2] video: fbdev: kyro: fix a DoS bug by restricting user input Message-ID: References: <1626235762-2590-1-git-send-email-zheyuma97@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1626235762-2590-1-git-send-email-zheyuma97@gmail.com> X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" Hi Zheyu, On Wed, Jul 14, 2021 at 04:09:22AM +0000, Zheyu Ma wrote: > The user can pass in any value to the driver through the 'ioctl' > interface. The driver dost not check, which may cause DoS bugs. > > The following log reveals it: > > divide error: 0000 [#1] PREEMPT SMP KASAN PTI > RIP: 0010:SetOverlayViewPort+0x133/0x5f0 drivers/video/fbdev/kyro/STG4000OverlayDevice.c:476 > Call Trace: > kyro_dev_overlay_viewport_set drivers/video/fbdev/kyro/fbdev.c:378 [inline] > kyrofb_ioctl+0x2eb/0x330 drivers/video/fbdev/kyro/fbdev.c:603 > do_fb_ioctl+0x1f3/0x700 drivers/video/fbdev/core/fbmem.c:1171 > fb_ioctl+0xeb/0x130 drivers/video/fbdev/core/fbmem.c:1185 > vfs_ioctl fs/ioctl.c:48 [inline] > __do_sys_ioctl fs/ioctl.c:753 [inline] > __se_sys_ioctl fs/ioctl.c:739 [inline] > __x64_sys_ioctl+0x19b/0x220 fs/ioctl.c:739 > do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46 > entry_SYSCALL_64_after_hwframe+0x44/0xae > > Signed-off-by: Zheyu Ma > --- > Changes in v2: > - Validate the inputs on a higher level Much better, thanks. When a line is continued like here the statement shall aling with the opening brace. I fixed it up when applying the patch to drm-misc-next so no need to do anything this time. Sam