lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sun, 27 Feb 2022 14:17:16 +0800
From:   Zheyu Ma <zheyuma97@...il.com>
To:     Helge Deller <deller@....de>
Cc:     sudipm.mukherjee@...il.com, teddy.wang@...iconmotion.com,
        dri-devel@...ts.freedesktop.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        linux-fbdev@...r.kernel.org
Subject: Re: [BUG] fbdev: sm712fb: Page fault in smtcfb_read

On Sat, Feb 26, 2022 at 11:03 PM Helge Deller <deller@....de> wrote:
>
> * Zheyu Ma <zheyuma97@...il.com>:
> > I found a minor in the smtcfb_read() function of the driver sm712fb.
> >
> > This read function can not handle the case that the size of the
> > buffer is 3 and does not check for it, which may cause a page fault.
> >
> > The following log reveals it:
> >
> > [ 2432.614490] BUG: unable to handle page fault for address: ffffc90001ffffff
> > [ 2432.618474] RIP: 0010:smtcfb_read+0x230/0x3e0
> > [ 2432.626551] Call Trace:
> > [ 2432.626770]  <TASK>
> > [ 2432.626950]  vfs_read+0x198/0xa00
> > [ 2432.627225]  ? do_sys_openat2+0x27d/0x350
> > [ 2432.627552]  ? __fget_light+0x54/0x340
> > [ 2432.627871]  ksys_read+0xce/0x190
> > [ 2432.628143]  do_syscall_64+0x43/0x90
>
> Could you try the attached patch ?

Good, the patch works for me, thanks.

Tested-by: Zheyu Ma <zheyuma97@...il.com>
>
>
> diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c
> index 0dbc6bf8268a..ab45212ccf66 100644
> --- a/drivers/video/fbdev/sm712fb.c
> +++ b/drivers/video/fbdev/sm712fb.c
> @@ -1047,7 +1047,7 @@ static ssize_t smtcfb_read(struct fb_info *info, char __user *buf,
>         if (count + p > total_size)
>                 count = total_size - p;
>
> -       buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, GFP_KERNEL);
> +       buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
>         if (!buffer)
>                 return -ENOMEM;
>
> @@ -1059,25 +1059,11 @@ static ssize_t smtcfb_read(struct fb_info *info, char __user *buf,
>         while (count) {
>                 c = (count > PAGE_SIZE) ? PAGE_SIZE : count;
>                 dst = buffer;
> -               for (i = c >> 2; i--;) {
> -                       *dst = fb_readl(src++);
> -                       *dst = big_swap(*dst);
> +               for (i = (c + 3) >> 2; i--;) {
> +                       u32 val = fb_readl(src++);
> +                       *dst = big_swap(val);
>                         dst++;
>                 }
> -               if (c & 3) {
> -                       u8 *dst8 = (u8 *)dst;
> -                       u8 __iomem *src8 = (u8 __iomem *)src;
> -
> -                       for (i = c & 3; i--;) {
> -                               if (i & 1) {
> -                                       *dst8++ = fb_readb(++src8);
> -                               } else {
> -                                       *dst8++ = fb_readb(--src8);
> -                                       src8 += 2;
> -                               }
> -                       }
> -                       src = (u32 __iomem *)src8;
> -               }
>
>                 if (copy_to_user(buf, buffer, c)) {
>                         err = -EFAULT;

Regards,
Zheyu Ma

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ