From: Jani Nikula <jani.nikula@intel.com>
To: Denis Arefev <arefev@swemel.ru>, Helge Deller <deller@gmx.de>
Cc: Thomas Zimmermann <tzimmermann@suse.de>,
linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org
Subject: Re: [PATCH 1/1] fbdev: atyfb: Fix buffer overflow
Date: Thu, 27 Mar 2025 12:14:26 +0200 [thread overview]
Message-ID: <87pli26arh.fsf@intel.com> (raw)
In-Reply-To: <20250327100126.12585-2-arefev@swemel.ru>
On Thu, 27 Mar 2025, Denis Arefev <arefev@swemel.ru> wrote:
> The value LCD_MISC_CNTL is used in the 'aty_st_lcd()' function to
> calculate an index for accessing an array element of size 9.
> This may cause a buffer overflow.
The fix is to fix it, not silently brush it under the carpet.
BR,
Jani.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Denis Arefev <arefev@swemel.ru>
> ---
> drivers/video/fbdev/aty/atyfb_base.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
> index 210fd3ac18a4..93eb5eb6042b 100644
> --- a/drivers/video/fbdev/aty/atyfb_base.c
> +++ b/drivers/video/fbdev/aty/atyfb_base.c
> @@ -149,6 +149,8 @@ static const u32 lt_lcd_regs[] = {
> void aty_st_lcd(int index, u32 val, const struct atyfb_par *par)
> {
> if (M64_HAS(LT_LCD_REGS)) {
> + if ((u32)index >= ARRAY_SIZE(lt_lcd_regs))
> + return;
> aty_st_le32(lt_lcd_regs[index], val, par);
> } else {
> unsigned long temp;
> @@ -164,6 +166,8 @@ void aty_st_lcd(int index, u32 val, const struct atyfb_par *par)
> u32 aty_ld_lcd(int index, const struct atyfb_par *par)
> {
> if (M64_HAS(LT_LCD_REGS)) {
> + if ((u32)index >= ARRAY_SIZE(lt_lcd_regs))
> + return 0;
> return aty_ld_le32(lt_lcd_regs[index], par);
> } else {
> unsigned long temp;
--
Jani Nikula, Intel
next prev parent reply other threads:[~2025-03-27 10:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-27 10:01 [PATCH 0/1] fbdev: atyfb: Fix buffer overflow Denis Arefev
2025-03-27 10:01 ` [PATCH 1/1] " Denis Arefev
2025-03-27 10:14 ` Jani Nikula [this message]
2025-03-31 19:55 ` Ville Syrjälä
2025-04-01 8:40 ` Denis Arefev
2025-04-01 9:03 ` Helge Deller
2025-04-01 10:23 ` Denis Arefev
2025-04-01 16:26 ` Ville Syrjälä
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pli26arh.fsf@intel.com \
--to=jani.nikula@intel.com \
--cc=arefev@swemel.ru \
--cc=deller@gmx.de \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).