From: Dan Carpenter <error27@gmail.com>
To: Paul Mundt <lethal@linux-sh.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: [patch 2/2 v2] fbcmap: integer overflow bug
Date: Tue, 16 Nov 2010 09:11:02 +0000 [thread overview]
Message-ID: <20101116090119.GA31724@bicker> (raw)
In-Reply-To: <20101115044820.GA8489@linux-sh.org>
There is an integer overflow in fb_set_user_cmap() because cmap->len * 2
can wrap. It's basically harmless. Your terminal will be messed up
until you type reset.
This patch does three things to fix the bug.
First, it checks the return value of fb_copy_cmap() in fb_alloc_cmap().
That is enough to fix address the overflow.
Second it checks for the integer overflow in fb_set_user_cmap().
Lastly I wanted to cap "cmap->len" in fb_set_user_cmap() much lower
because it gets used to determine the size of allocation. Unfortunately
no one knows what the limit should be. Instead what this patch does
is makes the allocation happen with GFP_KERNEL instead of GFP_ATOMIC
and lets the kmalloc() decide what values of cmap->len are reasonable.
To do this, the patch introduces a function called fb_alloc_cmap_gfp()
which is like fb_alloc_cmap() except that it takes a GFP flag.
Signed-off-by: Dan Carpenter <error27@gmail.com>
---
v2: Fix overflow check in fb_set_user_cmap(). Return -E2BIG on error.
diff --git a/include/linux/fb.h b/include/linux/fb.h
index 7fca3dc..d1631d3 100644
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -1122,6 +1122,7 @@ extern const struct fb_videomode *fb_find_best_display(const struct fb_monspecs
/* drivers/video/fbcmap.c */
extern int fb_alloc_cmap(struct fb_cmap *cmap, int len, int transp);
+extern int fb_alloc_cmap_gfp(struct fb_cmap *cmap, int len, int transp, gfp_t flags);
extern void fb_dealloc_cmap(struct fb_cmap *cmap);
extern int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to);
extern int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to);
diff --git a/drivers/video/fbcmap.c b/drivers/video/fbcmap.c
index a79b976..affdf3e 100644
--- a/drivers/video/fbcmap.c
+++ b/drivers/video/fbcmap.c
@@ -88,26 +88,27 @@ static const struct fb_cmap default_16_colors = {
*
*/
-int fb_alloc_cmap(struct fb_cmap *cmap, int len, int transp)
+int fb_alloc_cmap_gfp(struct fb_cmap *cmap, int len, int transp, gfp_t flags)
{
int size = len * sizeof(u16);
+ int ret = -ENOMEM;
if (cmap->len != len) {
fb_dealloc_cmap(cmap);
if (!len)
return 0;
- cmap->red = kmalloc(size, GFP_ATOMIC);
+ cmap->red = kmalloc(size, flags);
if (!cmap->red)
goto fail;
- cmap->green = kmalloc(size, GFP_ATOMIC);
+ cmap->green = kmalloc(size, flags);
if (!cmap->green)
goto fail;
- cmap->blue = kmalloc(size, GFP_ATOMIC);
+ cmap->blue = kmalloc(size, flags);
if (!cmap->blue)
goto fail;
if (transp) {
- cmap->transp = kmalloc(size, GFP_ATOMIC);
+ cmap->transp = kmalloc(size, flags);
if (!cmap->transp)
goto fail;
} else {
@@ -116,12 +117,19 @@ int fb_alloc_cmap(struct fb_cmap *cmap, int len, int transp)
}
cmap->start = 0;
cmap->len = len;
- fb_copy_cmap(fb_default_cmap(len), cmap);
+ ret = fb_copy_cmap(fb_default_cmap(len), cmap);
+ if (ret)
+ goto fail;
return 0;
fail:
fb_dealloc_cmap(cmap);
- return -ENOMEM;
+ return ret;
+}
+
+int fb_alloc_cmap(struct fb_cmap *cmap, int len, int transp)
+{
+ return fb_alloc_cmap_gfp(cmap, len, transp, GFP_ATOMIC);
}
/**
@@ -256,8 +264,12 @@ int fb_set_user_cmap(struct fb_cmap_user *cmap, struct fb_info *info)
int rc, size = cmap->len * sizeof(u16);
struct fb_cmap umap;
+ if (size < 0 || size < cmap->len)
+ return -E2BIG;
+
memset(&umap, 0, sizeof(struct fb_cmap));
- rc = fb_alloc_cmap(&umap, cmap->len, cmap->transp != NULL);
+ rc = fb_alloc_cmap_gfp(&umap, cmap->len, cmap->transp != NULL,
+ GFP_KERNEL);
if (rc)
return rc;
if (copy_from_user(umap.red, cmap->red, size) ||
prev parent reply other threads:[~2010-11-16 9:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-27 9:37 [RFC] [patch] fbcmap: integer overflow bug Dan Carpenter
2010-11-05 20:40 ` Andrew Morton
2010-11-13 10:06 ` [patch 1/2] fbcmap: cleanup white space in fb_alloc_cmap() Dan Carpenter
2010-11-18 6:00 ` Paul Mundt
2010-11-13 10:07 ` [patch 2/2] fbcmap: integer overflow bug Dan Carpenter
2010-11-15 4:48 ` Paul Mundt
2010-11-15 6:56 ` Geert Uytterhoeven
2010-11-15 7:20 ` Dan Carpenter
2010-11-15 8:01 ` walter harms
2010-11-15 8:14 ` Dan Carpenter
2010-11-16 9:11 ` Dan Carpenter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101116090119.GA31724@bicker \
--to=error27@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=lethal@linux-sh.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).