[BUG] fbdev: sm712fb: Page fault in smtcfb

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [BUG] fbdev: sm712fb: Page fault in smtcfb_read
@ 2022-02-26 12:44 Zheyu Ma
  2022-02-26 15:03 ` Helge Deller
  0 siblings, 1 reply; 3+ messages in thread
From: Zheyu Ma @ 2022-02-26 12:44 UTC (permalink / raw)
  To: sudipm.mukherjee, teddy.wang
  Cc: dri-devel, Linux Kernel Mailing List, linux-fbdev

I found a minor in the smtcfb_read() function of the driver sm712fb.

This read function can not handle the case that the size of the
buffer is 3 and does not check for it, which may cause a page fault.

Here is a simple PoC:

#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

int main(void)
{
    char buf[10];

    int fd = open("/dev/fb0", O_RDWR);
    read(fd, buf, 3);

    return 0;
}

The following log reveals it:

[ 2432.614490] BUG: unable to handle page fault for address: ffffc90001ffffff
[ 2432.618474] RIP: 0010:smtcfb_read+0x230/0x3e0
[ 2432.626551] Call Trace:
[ 2432.626770]  <TASK>
[ 2432.626950]  vfs_read+0x198/0xa00
[ 2432.627225]  ? do_sys_openat2+0x27d/0x350
[ 2432.627552]  ? __fget_light+0x54/0x340
[ 2432.627871]  ksys_read+0xce/0x190
[ 2432.628143]  do_syscall_64+0x43/0x90

Regards,
Zheyu Ma

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [BUG] fbdev: sm712fb: Page fault in smtcfb_read
  2022-02-26 12:44 [BUG] fbdev: sm712fb: Page fault in smtcfb_read Zheyu Ma
@ 2022-02-26 15:03 ` Helge Deller
  2022-02-27  6:17   ` Zheyu Ma
  0 siblings, 1 reply; 3+ messages in thread
From: Helge Deller @ 2022-02-26 15:03 UTC (permalink / raw)
  To: Zheyu Ma
  Cc: sudipm.mukherjee, teddy.wang, dri-devel,
	Linux Kernel Mailing List, linux-fbdev

* Zheyu Ma <zheyuma97@gmail.com>:
> I found a minor in the smtcfb_read() function of the driver sm712fb.
>
> This read function can not handle the case that the size of the
> buffer is 3 and does not check for it, which may cause a page fault.
>
> The following log reveals it:
>
> [ 2432.614490] BUG: unable to handle page fault for address: ffffc90001ffffff
> [ 2432.618474] RIP: 0010:smtcfb_read+0x230/0x3e0
> [ 2432.626551] Call Trace:
> [ 2432.626770]  <TASK>
> [ 2432.626950]  vfs_read+0x198/0xa00
> [ 2432.627225]  ? do_sys_openat2+0x27d/0x350
> [ 2432.627552]  ? __fget_light+0x54/0x340
> [ 2432.627871]  ksys_read+0xce/0x190
> [ 2432.628143]  do_syscall_64+0x43/0x90

Could you try the attached patch ?


diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c
index 0dbc6bf8268a..ab45212ccf66 100644
--- a/drivers/video/fbdev/sm712fb.c
+++ b/drivers/video/fbdev/sm712fb.c
@@ -1047,7 +1047,7 @@ static ssize_t smtcfb_read(struct fb_info *info, char __user *buf,
 	if (count + p > total_size)
 		count = total_size - p;

-	buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, GFP_KERNEL);
+	buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!buffer)
 		return -ENOMEM;

@@ -1059,25 +1059,11 @@ static ssize_t smtcfb_read(struct fb_info *info, char __user *buf,
 	while (count) {
 		c = (count > PAGE_SIZE) ? PAGE_SIZE : count;
 		dst = buffer;
-		for (i = c >> 2; i--;) {
-			*dst = fb_readl(src++);
-			*dst = big_swap(*dst);
+		for (i = (c + 3) >> 2; i--;) {
+			u32 val = fb_readl(src++);
+			*dst = big_swap(val);
 			dst++;
 		}
-		if (c & 3) {
-			u8 *dst8 = (u8 *)dst;
-			u8 __iomem *src8 = (u8 __iomem *)src;
-
-			for (i = c & 3; i--;) {
-				if (i & 1) {
-					*dst8++ = fb_readb(++src8);
-				} else {
-					*dst8++ = fb_readb(--src8);
-					src8 += 2;
-				}
-			}
-			src = (u32 __iomem *)src8;
-		}

 		if (copy_to_user(buf, buffer, c)) {
 			err = -EFAULT;

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [BUG] fbdev: sm712fb: Page fault in smtcfb_read
  2022-02-26 15:03 ` Helge Deller
@ 2022-02-27  6:17   ` Zheyu Ma
  0 siblings, 0 replies; 3+ messages in thread
From: Zheyu Ma @ 2022-02-27  6:17 UTC (permalink / raw)
  To: Helge Deller
  Cc: sudipm.mukherjee, teddy.wang, dri-devel,
	Linux Kernel Mailing List, linux-fbdev

On Sat, Feb 26, 2022 at 11:03 PM Helge Deller <deller@gmx.de> wrote:
>
> * Zheyu Ma <zheyuma97@gmail.com>:
> > I found a minor in the smtcfb_read() function of the driver sm712fb.
> >
> > This read function can not handle the case that the size of the
> > buffer is 3 and does not check for it, which may cause a page fault.
> >
> > The following log reveals it:
> >
> > [ 2432.614490] BUG: unable to handle page fault for address: ffffc90001ffffff
> > [ 2432.618474] RIP: 0010:smtcfb_read+0x230/0x3e0
> > [ 2432.626551] Call Trace:
> > [ 2432.626770]  <TASK>
> > [ 2432.626950]  vfs_read+0x198/0xa00
> > [ 2432.627225]  ? do_sys_openat2+0x27d/0x350
> > [ 2432.627552]  ? __fget_light+0x54/0x340
> > [ 2432.627871]  ksys_read+0xce/0x190
> > [ 2432.628143]  do_syscall_64+0x43/0x90
>
> Could you try the attached patch ?

Good, the patch works for me, thanks.

Tested-by: Zheyu Ma <zheyuma97@gmail.com>
>
>
> diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c
> index 0dbc6bf8268a..ab45212ccf66 100644
> --- a/drivers/video/fbdev/sm712fb.c
> +++ b/drivers/video/fbdev/sm712fb.c
> @@ -1047,7 +1047,7 @@ static ssize_t smtcfb_read(struct fb_info *info, char __user *buf,
>         if (count + p > total_size)
>                 count = total_size - p;
>
> -       buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, GFP_KERNEL);
> +       buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
>         if (!buffer)
>                 return -ENOMEM;
>
> @@ -1059,25 +1059,11 @@ static ssize_t smtcfb_read(struct fb_info *info, char __user *buf,
>         while (count) {
>                 c = (count > PAGE_SIZE) ? PAGE_SIZE : count;
>                 dst = buffer;
> -               for (i = c >> 2; i--;) {
> -                       *dst = fb_readl(src++);
> -                       *dst = big_swap(*dst);
> +               for (i = (c + 3) >> 2; i--;) {
> +                       u32 val = fb_readl(src++);
> +                       *dst = big_swap(val);
>                         dst++;
>                 }
> -               if (c & 3) {
> -                       u8 *dst8 = (u8 *)dst;
> -                       u8 __iomem *src8 = (u8 __iomem *)src;
> -
> -                       for (i = c & 3; i--;) {
> -                               if (i & 1) {
> -                                       *dst8++ = fb_readb(++src8);
> -                               } else {
> -                                       *dst8++ = fb_readb(--src8);
> -                                       src8 += 2;
> -                               }
> -                       }
> -                       src = (u32 __iomem *)src8;
> -               }
>
>                 if (copy_to_user(buf, buffer, c)) {
>                         err = -EFAULT;

Regards,
Zheyu Ma

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-02-27  6:17 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-02-26 12:44 [BUG] fbdev: sm712fb: Page fault in smtcfb_read Zheyu Ma
2022-02-26 15:03 ` Helge Deller
2022-02-27  6:17   ` Zheyu Ma

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox