| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID:
<PH7PR20MB5925BF5AA6B66B9E8733AFD0BF712@PH7PR20MB5925.namprd20.prod.outlook.com>
Date: Thu, 18 Jan 2024 11:49:40 +0800
From: Fullway Wang <fullwaywang@...look.com>
To: adaplas@...il.com,
deller@....de
Cc: linux-fbdev@...r.kernel.org,
dri-devel@...ts.freedesktop.org,
linux-kernel@...r.kernel.org,
fullwaywang@...cent.com,
Fullway Wang <fullwaywang@...look.com>
Subject: [PATCH] video: fbdev: savage: Error out if pixclock equals zero
The userspace program could pass any values to the driver through
ioctl() interface. If the driver doesn't check the value of pixclock,
it may cause divide-by-zero error.
Although pixclock is checked in savagefb_decode_var(), but it is not
checked properly in savagefb_probe(). Fix this by checking whether
pixclock is zero in the function savagefb_check_var() before
info->var.pixclock is used as the divisor.
This is similar to CVE-2022-3061 in i740fb which was fixed by
commit 15cf0b8.
Signed-off-by: Fullway Wang <fullwaywang@...look.com>
---
drivers/video/fbdev/savage/savagefb_driver.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/fbdev/savage/savagefb_driver.c b/drivers/video/fbdev/savage/savagefb_driver.c
index dddd6afcb972..ebc9aeffdde7 100644
--- a/drivers/video/fbdev/savage/savagefb_driver.c
+++ b/drivers/video/fbdev/savage/savagefb_driver.c
@@ -869,6 +869,9 @@ static int savagefb_check_var(struct fb_var_screeninfo *var,
DBG("savagefb_check_var");
+ if (!var->pixclock)
+ return -EINVAL;
+
var->transp.offset = 0;
var->transp.length = 0;
switch (var->bits_per_pixel) {
--
2.39.3 (Apple Git-145)
Powered by blists - more mailing lists