lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Sep 2014 12:38:53 -0400 (EDT) From: Mikulas Patocka <mpatocka@...hat.com> To: Tomi Valkeinen <tomi.valkeinen@...com>, Jean-Christophe Plagniol-Villard <plagnioj@...osoft.com> cc: linux-fbdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: [PATCH] framebuffer: fix screen corruption when copying The function bitcpy_rev has a bug that may result in screen corruption. The bug happens under these conditions: * the end of the destination area of a copy operation is aligned on a long word boundary * the end of the source area is not aligned on a long word boundary * we are copying more than one long word In this case, the variable shift is non-zero and the variable first is zero. The statements FB_WRITEL(comp(d0, FB_READL(dst), first), dst) reads the last long word of the destination and writes it back unchanged (because first is zero). Correctly, we should write the variable d0 to the last word of the destination in this case. This patch fixes the bug by introducing and extra test if first is zero. The patch also removes the references to fb_memmove in the code that is commented out because fb_memmove was removed from framebuffer subsystem. Signed-off-by: Mikulas Patocka <mpatocka@...hat.com> Cc: stable@...r.kernel.org Index: linux-3.16.1/drivers/video/fbdev/core/cfbcopyarea.c =================================================================== --- linux-3.16.1.orig/drivers/video/cfbcopyarea.c +++ linux-3.16.1/drivers/video/fbdev/core/cfbcopyarea.c @@ -55,8 +55,8 @@ bitcpy(struct fb_info *p, unsigned long * If you suspect bug in this function, compare it with this simple * memmove implementation. */ - fb_memmove((char *)dst + ((dst_idx & (bits - 1))) / 8, - (char *)src + ((src_idx & (bits - 1))) / 8, n / 8); + memmove((char *)dst + ((dst_idx & (bits - 1))) / 8, + (char *)src + ((src_idx & (bits - 1))) / 8, n / 8); return; #endif @@ -221,8 +221,8 @@ bitcpy_rev(struct fb_info *p, unsigned l * If you suspect bug in this function, compare it with this simple * memmove implementation. */ - fb_memmove((char *)dst + ((dst_idx & (bits - 1))) / 8, - (char *)src + ((src_idx & (bits - 1))) / 8, n / 8); + memmove((char *)dst + ((dst_idx & (bits - 1))) / 8, + (char *)src + ((src_idx & (bits - 1))) / 8, n / 8); return; #endif @@ -324,7 +324,10 @@ bitcpy_rev(struct fb_info *p, unsigned l d0 = d0 << left | d1 >> right; } d0 = fb_rev_pixels_in_long(d0, bswapmask); - FB_WRITEL(comp(d0, FB_READL(dst), first), dst); + if (!first) + FB_WRITEL(d0, dst); + else + FB_WRITEL(comp(d0, FB_READL(dst), first), dst); d0 = d1; dst--; n -= dst_idx+1; -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists