lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1449491626-5894-1-git-send-email-clabbe.montjoie@gmail.com>
Date:	Mon,  7 Dec 2015 13:33:45 +0100
From:	LABBE Corentin <clabbe.montjoie@...il.com>
To:	airlied@...ux.ie
Cc:	LABBE Corentin <clabbe.montjoie@...il.com>,
	dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org
Subject: [PATCH] drm: modes: fix DRM modes analysis regression

My latest commit introduce some case where a valid mode, could be
rejected.
simple_strtox functions stop at first non-digit character, but kstrtox not.
So args like "video=HDMI-A-1:720x480-16@60" will be reject when checking 16@.
The proper solution is to store digits in a specific buffer.

Fixes: 52157a4ca396 ("drm: modes: replace simple_strtoul by kstrtouint")
Reported-by: Kuninori Morimoto <kuninori.morimoto.gx@...esas.com>
Signed-off-by: LABBE Corentin <clabbe.montjoie@...il.com>
---
 drivers/gpu/drm/drm_modes.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index bde9b29..3b5e9a5 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -1225,13 +1225,14 @@ bool drm_mode_parse_command_line_for_connector(const char *mode_option,
 					       struct drm_cmdline_mode *mode)
 {
 	const char *name;
-	unsigned int namelen;
+	unsigned int namelen, digit_i;
 	bool res_specified = false, bpp_specified = false, refresh_specified = false;
 	unsigned int xres = 0, yres = 0, bpp = 32, refresh = 0;
 	bool yres_specified = false, cvt = false, rb = false;
 	bool interlace = false, margins = false, was_digit = false;
 	int i, err;
 	enum drm_connector_force force = DRM_FORCE_UNSPECIFIED;
+	char *digits;
 
 #ifdef CONFIG_FB
 	if (!mode_option)
@@ -1245,42 +1246,53 @@ bool drm_mode_parse_command_line_for_connector(const char *mode_option,
 
 	name = mode_option;
 	namelen = strlen(name);
+
+	digits = kzalloc(namelen, GFP_KERNEL);
+	if (!digits)
+		return false;
+	/* The last character must be the last 0 */
+	digit_i = namelen;
+
 	for (i = namelen-1; i >= 0; i--) {
 		switch (name[i]) {
 		case '@':
 			if (!refresh_specified && !bpp_specified &&
 			    !yres_specified && !cvt && !rb && was_digit) {
-				err = kstrtouint(&name[i + 1], 10, &refresh);
+				err = kstrtouint(&digits[digit_i], 10, &refresh);
 				if (err)
 					return false;
 				refresh_specified = true;
 				was_digit = false;
+				digit_i = namelen;
 			} else
 				goto done;
 			break;
 		case '-':
 			if (!bpp_specified && !yres_specified && !cvt &&
 			    !rb && was_digit) {
-				err = kstrtouint(&name[i + 1], 10, &bpp);
+				err = kstrtouint(&digits[digit_i], 10, &bpp);
 				if (err)
 					return false;
 				bpp_specified = true;
 				was_digit = false;
+				digit_i = namelen;
 			} else
 				goto done;
 			break;
 		case 'x':
 			if (!yres_specified && was_digit) {
-				err = kstrtouint(&name[i + 1], 10, &yres);
+				err = kstrtouint(&digits[digit_i], 10, &yres);
 				if (err)
 					return false;
 				yres_specified = true;
 				was_digit = false;
+				digit_i = namelen;
 			} else
 				goto done;
 			break;
 		case '0' ... '9':
 			was_digit = true;
+			digits[--digit_i] = name[i];
 			break;
 		case 'M':
 			if (yres_specified || cvt || was_digit)
@@ -1349,6 +1361,7 @@ done:
 			"parse error at position %i in video mode '%s'\n",
 			i, name);
 		mode->specified = false;
+		kfree(digits);
 		return false;
 	}
 
@@ -1373,6 +1386,7 @@ done:
 	mode->margins = margins;
 	mode->force = force;
 
+	kfree(digits);
 	return true;
 }
 EXPORT_SYMBOL(drm_mode_parse_command_line_for_connector);
-- 
2.4.10

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ