| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Feb 2022 09:02:52 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Yizhuo Zhai' <yzhai003@....edu>
CC: Helge Deller <deller@....de>,
Daniel Vetter <daniel.vetter@...ll.ch>,
Matthew Wilcox <willy@...radead.org>,
Sam Ravnborg <sam@...nborg.org>,
"Zhen Lei" <thunder.leizhen@...wei.com>,
Guenter Roeck <linux@...ck-us.net>,
Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
Zheyu Ma <zheyuma97@...il.com>,
Alex Deucher <alexander.deucher@....com>,
Xiyu Yang <xiyuyang19@...an.edu.cn>,
"linux-fbdev@...r.kernel.org" <linux-fbdev@...r.kernel.org>,
"dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH v2] fbdev: fbmem: Fix the implicit type casting
From: Yizhuo Zhai
> Sent: 01 February 2022 02:36
>
> In function do_fb_ioctl(), the "arg" is the type of unsigned long,
> and in "case FBIOBLANK:" this argument is casted into an int before
> passig to fb_blank(). In fb_blank(), the comparision
> if (blank > FB_BLANK_POWERDOWN) would be bypass if the original
> "arg" is a large number, which is possible because it comes from
> the user input. Fix this by adding the check before the function
> call.
Doesn't this convert invalid values (> FB_BLANK_POWERDOWN)
that should generate errors into valid requests?
David
>
> Signed-off-by: Yizhuo Zhai <yzhai003@....edu>
> ---
> drivers/video/fbdev/core/fbmem.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
> index 0fa7ede94fa6..f08326efff54 100644
> --- a/drivers/video/fbdev/core/fbmem.c
> +++ b/drivers/video/fbdev/core/fbmem.c
> @@ -1162,6 +1162,8 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
> case FBIOBLANK:
> console_lock();
> lock_fb_info(info);
> + if (blank > FB_BLANK_POWERDOWN)
> + blank = FB_BLANK_POWERDOWN;
> ret = fb_blank(info, arg);
> /* might again call into fb_blank */
> fbcon_fb_blanked(info, arg);
> --
> 2.25.1
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Powered by blists - more mailing lists