lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Mon, 16 Jul 2012 09:44:57 +0200
From:	Geert Uytterhoeven <geert@...ux-m68k.org>
To:	Levin Du <zslevin@...il.com>
Cc:	linux-kernel@...r.kernel.org,
	Linux Fbdev development list <linux-fbdev@...r.kernel.org>
Subject: Fwd: video/fbmem.c: Fix __u32 >= 0 condition in fb_do_show_logo.

Never reached lkml due to the HTML.
Resending, with a CC to linux-fbdev added.

---------- Forwarded message ----------
From: Levin Du <zslevin@...il.com>
Date: 2012/7/12
Subject: video/fbmem.c: Fix __u32 >= 0 condition in fb_do_show_logo.
To: linux-kernel@...r.kernel.org
Cc: brad@...uo.com


Dear all,

Since dx or dy in struct fb_image is unsigned 32 bit integer:

struct fb_image {
__u32 dx; /* Where to place image */
__u32 dy;
   ...
}

In fb_do_show_logo(), image->dx or image->dy will always meet the >= 0
condition.
if the logo is large enough (same as to the whole screen, for example) and
rotate is UD or CCW, and image->dx or image->dy will results in a
large value which
makes info->fbops->fb_imageblit fail miserably.

Here is the raw patch:

diff --git a/drivers/video/fbmem.c b/drivers/video/fbmem.c
index ad93629..34a0ba3 100644
--- a/drivers/video/fbmem.c
+++ b/drivers/video/fbmem.c
@@ -419,6 +419,7 @@ static void fb_do_show_logo(struct fb_info *info,
struct fb_image *image,
     int rotate, unsigned int num)
 {
  unsigned int x;
+ long d;

  if (rotate == FB_ROTATE_UR) {
  for (x = 0;
@@ -428,9 +429,10 @@ static void fb_do_show_logo(struct fb_info *info,
struct fb_image *image,
  image->dx += image->width + 8;
  }
  } else if (rotate == FB_ROTATE_UD) {
- for (x = 0; x < num && image->dx >= 0; x++) {
+ d = image->dx;
+ for (x = 0; x < num && d >= 0; x++) {
  info->fbops->fb_imageblit(info, image);
- image->dx -= image->width + 8;
+ d -= image->width + 8;
  }
  } else if (rotate == FB_ROTATE_CW) {
  for (x = 0;
@@ -440,9 +442,10 @@ static void fb_do_show_logo(struct fb_info *info,
struct fb_image *image,
  image->dy += image->height + 8;
  }
  } else if (rotate == FB_ROTATE_CCW) {
- for (x = 0; x < num && image->dy >= 0; x++) {
+ d = image->dy;
+ for (x = 0; x < num && d >= 0; x++) {
  info->fbops->fb_imageblit(info, image);
- image->dy -= image->height + 8;
+ d -= image->height + 8;
  }
  }
 }


Gr{oetje,eeting}s,

                        Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ