| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 3 Apr 2022 19:26:36 +0800
From: Zheyu Ma <zheyuma97@...il.com>
To: Helge Deller <deller@....de>
Cc: linux-fbdev@...r.kernel.org, dri-devel@...ts.freedesktop.org,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: [BUG] fbdev: i740fb: Divide error when ‘var->pixclock’ is zero
Hi,
I found a bug in the function i740fb_set_par().
When the user calls the ioctl system call without setting the value to
'var->pixclock', the driver will throw a divide error.
This bug occurs because the driver uses the value of 'var->pixclock'
without checking it, as the following code snippet show:
if ((1000000 / var->pixclock) > DACSPEED8) {
dev_err(info->device, "requested pixclock %i MHz out of range
(max. %i MHz at 8bpp)\n",
1000000 / var->pixclock, DACSPEED8);
return -EINVAL;x
}
We can fix this by checking the value of 'var->pixclock' in the
function i740fb_check_var() similar to commit
b36b242d4b8ea178f7fd038965e3cac7f30c3f09, or we should set the lowest
supported value when this field is zero.
I have no idea about which solution is better.
The following log reveals it:
divide error: 0000 [#1] PREEMPT SMP KASAN PTI
RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:444 [inline]
RIP: 0010:i740fb_set_par+0x272f/0x3bb0 drivers/video/fbdev/i740fb.c:739
Call Trace:
<TASK>
fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1036
do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1112
fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
Regards,
Zheyu Ma
Powered by blists - more mailing lists