[PATCH 4.9 01/42] fbdev: fb_pm2fb: Avoid potential divide by zero error

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Zheyu Ma <zheyuma97@gmail.com>,
	Letu Ren <fantasquex@gmail.com>, Helge Deller <deller@gmx.de>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 01/42] fbdev: fb_pm2fb: Avoid potential divide by zero error
Date: Tue, 13 Sep 2022 16:07:32 +0200	[thread overview]
Message-ID: <20220913140342.308723271@linuxfoundation.org> (raw)
In-Reply-To: <20220913140342.228397194@linuxfoundation.org>

From: Letu Ren <fantasquex@gmail.com>

commit 19f953e7435644b81332dd632ba1b2d80b1e37af upstream.

In `do_fb_ioctl()` of fbmem.c, if cmd is FBIOPUT_VSCREENINFO, var will be
copied from user, then go through `fb_set_var()` and
`info->fbops->fb_check_var()` which could may be `pm2fb_check_var()`.
Along the path, `var->pixclock` won't be modified. This function checks
whether reciprocal of `var->pixclock` is too high. If `var->pixclock` is
zero, there will be a divide by zero error. So, it is necessary to check
whether denominator is zero to avoid crash. As this bug is found by
Syzkaller, logs are listed below.

divide error in pm2fb_check_var
Call Trace:
 <TASK>
 fb_set_var+0x367/0xeb0 drivers/video/fbdev/core/fbmem.c:1015
 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110
 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189

Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Letu Ren <fantasquex@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/fbdev/pm2fb.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/video/fbdev/pm2fb.c b/drivers/video/fbdev/pm2fb.c
index 9b32b9fc44a5c..50b569d047b10 100644
--- a/drivers/video/fbdev/pm2fb.c
+++ b/drivers/video/fbdev/pm2fb.c
@@ -619,6 +619,11 @@ static int pm2fb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
 		return -EINVAL;
 	}
 
+	if (!var->pixclock) {
+		DPRINTK("pixclock is zero\n");
+		return -EINVAL;
+	}
+
 	if (PICOS2KHZ(var->pixclock) > PM2_MAX_PIXCLOCK) {
 		DPRINTK("pixclock too high (%ldKHz)\n",
 			PICOS2KHZ(var->pixclock));
-- 
2.35.1

next prev parent reply	other threads:[~2022-09-13 15:46 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
2022-09-13 14:07 ` Greg Kroah-Hartman [this message]
2022-11-23  6:34   ` [PATCH 4.9 01/42] fbdev: fb_pm2fb: Avoid potential divide by zero error Ulrich Hecht
2022-11-30 16:41     ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 02/42] platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 03/42] wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 04/42] serial: fsl_lpuart: RS485 RTS polariy is inverse Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 05/42] staging: rtl8712: fix use after free bugs Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 06/42] vt: Clear selection before changing the font Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 07/42] USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 08/42] hwmon: (gpio-fan) Fix array out of bounds access Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 09/42] xhci: Add grace period after xHC start to prevent premature runtime suspend Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 10/42] USB: serial: cp210x: add Decagon UCA device id Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 11/42] USB: serial: option: add support for OPPO R11 diag port Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 12/42] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 13/42] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 14/42] usb-storage: Add ignore-residue quirk for NXP PN7462AU Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 15/42] s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 16/42] s390: fix nospec table alignments Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 17/42] USB: core: Prevent nested device-reset calls Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 18/42] usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 19/42] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 20/42] net: mac802154: Fix a condition in the receive path Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 21/42] ALSA: seq: oss: Fix data-race for max_midi_devs access Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 22/42] ALSA: seq: Fix data-race at module auto-loading Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 23/42] fs: only do a memory barrier for the first set_buffer_uptodate() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 24/42] Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()" Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 25/42] drm/radeon: add a force flush to delay work when radeon Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 26/42] parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 27/42] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 28/42] fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 29/42] ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 30/42] ALSA: aloop: Fix random zeros in capture data when using jiffies timer Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 31/42] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 32/42] scsi: mpt3sas: Fix use-after-free warning Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 33/42] driver core: Dont probe devices after bus_type.match() probe deferral Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 34/42] netfilter: br_netfilter: Drop dst references before setting Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 35/42] netfilter: nf_conntrack_irc: Fix forged IP logic Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 36/42] sch_sfb: Dont assume the skb is still around after enqueueing to child Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 37/42] tipc: fix shift wrapping bug in map_get() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 38/42] tcp: fix early ETIMEDOUT after spurious non-SACK RTO Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 39/42] sch_sfb: Also store skb len before calling child enqueue Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 40/42] usb: dwc3: fix PHY disable sequence Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 41/42] MIPS: loongson32: ls1c: Fix hang during startup Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 42/42] SUNRPC: use _bh spinlocking on ->transport_lock Greg Kroah-Hartman
2022-09-14  9:50 ` [PATCH 4.9 00/42] 4.9.328-rc1 review Pavel Machek
2022-09-14 12:40 ` Naresh Kamboju
2022-09-14 15:26 ` Jon Hunter
2022-09-14 17:46 ` Florian Fainelli
2022-09-15  0:16 ` Guenter Roeck

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:9b32b9fc44a5 dfblob:50b569d047b1 )
 OR (
bs:"[PATCH 4.9 01/42] fbdev: fb_pm2fb: Avoid potential divide by zero error" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220913140342.308723271@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=deller@gmx.de \
    --cc=fantasquex@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=zheyuma97@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).