lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 26 Feb 2022 16:03:25 +0100
From:   Helge Deller <deller@....de>
To:     Zheyu Ma <zheyuma97@...il.com>
Cc:     sudipm.mukherjee@...il.com, teddy.wang@...iconmotion.com,
        dri-devel@...ts.freedesktop.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        linux-fbdev@...r.kernel.org
Subject: Re: [BUG] fbdev: sm712fb: Page fault in smtcfb_read

* Zheyu Ma <zheyuma97@...il.com>:
> I found a minor in the smtcfb_read() function of the driver sm712fb.
>
> This read function can not handle the case that the size of the
> buffer is 3 and does not check for it, which may cause a page fault.
>
> The following log reveals it:
>
> [ 2432.614490] BUG: unable to handle page fault for address: ffffc90001ffffff
> [ 2432.618474] RIP: 0010:smtcfb_read+0x230/0x3e0
> [ 2432.626551] Call Trace:
> [ 2432.626770]  <TASK>
> [ 2432.626950]  vfs_read+0x198/0xa00
> [ 2432.627225]  ? do_sys_openat2+0x27d/0x350
> [ 2432.627552]  ? __fget_light+0x54/0x340
> [ 2432.627871]  ksys_read+0xce/0x190
> [ 2432.628143]  do_syscall_64+0x43/0x90

Could you try the attached patch ?


diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c
index 0dbc6bf8268a..ab45212ccf66 100644
--- a/drivers/video/fbdev/sm712fb.c
+++ b/drivers/video/fbdev/sm712fb.c
@@ -1047,7 +1047,7 @@ static ssize_t smtcfb_read(struct fb_info *info, char __user *buf,
 	if (count + p > total_size)
 		count = total_size - p;

-	buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, GFP_KERNEL);
+	buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!buffer)
 		return -ENOMEM;

@@ -1059,25 +1059,11 @@ static ssize_t smtcfb_read(struct fb_info *info, char __user *buf,
 	while (count) {
 		c = (count > PAGE_SIZE) ? PAGE_SIZE : count;
 		dst = buffer;
-		for (i = c >> 2; i--;) {
-			*dst = fb_readl(src++);
-			*dst = big_swap(*dst);
+		for (i = (c + 3) >> 2; i--;) {
+			u32 val = fb_readl(src++);
+			*dst = big_swap(val);
 			dst++;
 		}
-		if (c & 3) {
-			u8 *dst8 = (u8 *)dst;
-			u8 __iomem *src8 = (u8 __iomem *)src;
-
-			for (i = c & 3; i--;) {
-				if (i & 1) {
-					*dst8++ = fb_readb(++src8);
-				} else {
-					*dst8++ = fb_readb(--src8);
-					src8 += 2;
-				}
-			}
-			src = (u32 __iomem *)src8;
-		}

 		if (copy_to_user(buf, buffer, c)) {
 			err = -EFAULT;

Powered by blists - more mailing lists