From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>,
Martin Kepplinger <martin.kepplinger@ginzinger.com>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Sasha Levin <sashal@kernel.org>,
dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org
Subject: [PATCH AUTOSEL 3.18 27/41] fbdev: fbmem: fix memory access if logo is bigger than the screen
Date: Wed, 27 Mar 2019 14:25:04 -0400 [thread overview]
Message-ID: <20190327182518.19394-27-sashal@kernel.org> (raw)
In-Reply-To: <20190327182518.19394-1-sashal@kernel.org>
From: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
[ Upstream commit a5399db139cb3ad9b8502d8b1bd02da9ce0b9df0 ]
There is no clipping on the x or y axis for logos larger that the framebuffer
size. Therefore: a logo bigger than screen size leads to invalid memory access:
[ 1.254664] Backtrace:
[ 1.254728] [<c02714e0>] (cfb_imageblit) from [<c026184c>] (fb_show_logo+0x620/0x684)
[ 1.254763] r10:00000003 r9:00027fd8 r8:c6a40000 r7:c6a36e50 r6:00000000 r5:c06b81e4
[ 1.254774] r4:c6a3e800
[ 1.254810] [<c026122c>] (fb_show_logo) from [<c026c1e4>] (fbcon_switch+0x3fc/0x46c)
[ 1.254842] r10:c6a3e824 r9:c6a3e800 r8:00000000 r7:c6a0c000 r6:c070b014 r5:c6a3e800
[ 1.254852] r4:c6808c00
[ 1.254889] [<c026bde8>] (fbcon_switch) from [<c029c8f8>] (redraw_screen+0xf0/0x1e8)
[ 1.254918] r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:c070d5a0 r5:00000080
[ 1.254928] r4:c6808c00
[ 1.254961] [<c029c808>] (redraw_screen) from [<c029d264>] (do_bind_con_driver+0x194/0x2e4)
[ 1.254991] r9:00000000 r8:00000000 r7:00000014 r6:c070d5a0 r5:c070d5a0 r4:c070d5a0
So prevent displaying a logo bigger than screen size and avoid invalid
memory access.
Signed-off-by: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
Signed-off-by: Martin Kepplinger <martin.kepplinger@ginzinger.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/core/fbmem.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index ea2bd6208a2f..9eae191728d2 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -425,6 +425,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image,
{
unsigned int x;
+ if (image->width > info->var.xres || image->height > info->var.yres)
+ return;
+
if (rotate == FB_ROTATE_UR) {
for (x = 0;
x < num && image->dx + image->width <= info->var.xres;
--
2.19.1
next prev parent reply other threads:[~2019-03-27 18:27 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-27 18:24 [PATCH AUTOSEL 3.18 01/41] i2c: sis630: correct format strings Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 02/41] tracing: kdb: Fix ftdump to not sleep Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 03/41] sysctl: handle overflow for file-max Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 04/41] mm/cma.c: cma_declare_contiguous: correct err handling Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 05/41] mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512! Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 06/41] mm/slab.c: kmemleak no scan alien caches Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 07/41] ocfs2: fix a panic problem caused by o2cb_ctl Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 08/41] cifs: use correct format characters Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 09/41] dm thin: add sanity checks to thin-pool and external snapshot creation Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 10/41] cifs: Fix NULL pointer dereference of devname Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 11/41] fs: fix guard_bio_eod to check for real EOD errors Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 12/41] tools lib traceevent: Fix buffer overflow in arg_eval Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 13/41] scsi: core: replace GFP_ATOMIC with GFP_KERNEL in scsi_scan.c Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 14/41] ARM: 8840/1: use a raw_spinlock_t in unwind Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 15/41] mmc: omap: fix the maximum timeout setting Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 16/41] e1000e: Fix -Wformat-truncation warnings Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 17/41] IB/mlx4: Increase the timeout for CM cache Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 18/41] scsi: megaraid_sas: return error when create DMA pool failed Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 19/41] SoC: imx-sgtl5000: add missing put_device() Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 20/41] leds: lp55xx: fix null deref on firmware load failure Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 21/41] kprobes: Prohibit probing on bsearch() Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 22/41] ARM: 8833/1: Ensure that NEON code always compiles with Clang Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 23/41] ALSA: PCM: check if ops are defined before suspending PCM Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 24/41] bcache: fix input overflow to cache set sysfs file io_error_halflife Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 25/41] bcache: fix input overflow to sequential_cutoff Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 26/41] bcache: improve sysfs_strtoul_clamp() Sasha Levin
2019-03-27 18:25 ` Sasha Levin [this message]
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 28/41] cdrom: Fix race condition in cdrom_sysctl_register Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 29/41] e1000e: fix cyclic resets at link up with active tx Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 30/41] locking/lockdep: Add debug_locks check in __lock_downgrade() Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 31/41] tty: increase the default flip buffer limit to 2*640K Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 32/41] media: mt9m111: set initial frame size other than 0x0 Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 33/41] hwrng: virtio - Avoid repeated init of completion Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 34/41] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 35/41] hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 36/41] dmaengine: imx-dma: fix warning comparison of distinct pointer types Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 37/41] media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 38/41] wlcore: Fix memory leak in case wl12xx_fetch_firmware failure Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 39/41] x86/build: Mark per-CPU symbols as absolute explicitly for LLD Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 40/41] dmaengine: tegra: avoid overflow of byte tracking Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 41/41] drm/dp/mst: Configure no_stop_bit correctly for remote i2c xfers Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190327182518.19394-27-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=b.zolnierkie@samsung.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=manfred.schlaegl@ginzinger.com \
--cc=martin.kepplinger@ginzinger.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox