lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMhUBjmFhqTLBscHHVZ1VTSqrJBT1VEevA+KkjY+y9_ZtdRkMg@mail.gmail.com>
Date:   Sun, 3 Apr 2022 19:26:36 +0800
From:   Zheyu Ma <zheyuma97@...il.com>
To:     Helge Deller <deller@....de>
Cc:     linux-fbdev@...r.kernel.org, dri-devel@...ts.freedesktop.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: [BUG] fbdev: i740fb: Divide error when ‘var->pixclock’ is zero

Hi,

I found a bug in the function i740fb_set_par().

When the user calls the ioctl system call without setting the value to
'var->pixclock', the driver will throw a divide error.

This bug occurs because the driver uses the value of 'var->pixclock'
without checking it, as the following code snippet show:

if ((1000000 / var->pixclock) > DACSPEED8) {
     dev_err(info->device, "requested pixclock %i MHz out of range
(max. %i MHz at 8bpp)\n",
         1000000 / var->pixclock, DACSPEED8);
    return -EINVAL;x
}

We can fix this by checking the value of 'var->pixclock' in the
function i740fb_check_var() similar to commit
b36b242d4b8ea178f7fd038965e3cac7f30c3f09, or we should set the lowest
supported value when this field is zero.
I have no idea about which solution is better.

The following log reveals it:

divide error: 0000 [#1] PREEMPT SMP KASAN PTI
RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:444 [inline]
RIP: 0010:i740fb_set_par+0x272f/0x3bb0 drivers/video/fbdev/i740fb.c:739
Call Trace:
 <TASK>
 fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1036
 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1112
 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]

Regards,
Zheyu Ma

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ