lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 19 Mar 2024 11:22:49 +0300
From: Sergey Shtylyov <s.shtylyov@....ru>
To: Roman Smirnov <r.smirnov@....ru>, Helge Deller <deller@....de>, Daniel
 Vetter <daniel@...ll.ch>
CC: Thomas Zimmermann <tzimmermann@...e.de>, Karina Yankevich
	<k.yankevich@....ru>, "linux-fbdev@...r.kernel.org"
	<linux-fbdev@...r.kernel.org>, "dri-devel@...ts.freedesktop.org"
	<dri-devel@...ts.freedesktop.org>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>, "lvc-project@...uxtesting.org"
	<lvc-project@...uxtesting.org>
Subject: Re: [PATCH v2] fbmon: prevent division by zero in
 fb_videomode_from_videomode()

On 3/19/24 11:12 AM, Roman Smirnov wrote:
[...]

>>>> On 3/5/24 14:51, Roman Smirnov wrote:
>>>>> The expression htotal * vtotal can have a zero value on
>>>>> overflow.
>>>>
>>>> I'm not sure if those always results in zero in kernel on overflow.
>>>> Might be architecture-depended too, but let's assume it
>>>> can become zero, ....
>>>>
>>>>> It is necessary to prevent division by zero like in
>>>>> fb_var_to_videomode().
>>>>>
>>>>> Found by Linux Verification Center (linuxtesting.org) with Svace.
>>>>>
>>>>> Signed-off-by: Roman Smirnov <r.smirnov@....ru>
>>>>> Reviewed-by: Sergey Shtylyov <s.shtylyov@....ru>
>>>>> ---
>>>>>    V1 -> V2: Replaced the code of the first version with a check.
>>>>>
>>>>>    drivers/video/fbdev/core/fbmon.c | 2 +-
>>>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/drivers/video/fbdev/core/fbmon.c b/drivers/video/fbdev/core/fbmon.c
>>>>> index 79e5bfbdd34c..b137590386da 100644
>>>>> --- a/drivers/video/fbdev/core/fbmon.c
>>>>> +++ b/drivers/video/fbdev/core/fbmon.c
>>>>> @@ -1344,7 +1344,7 @@ int fb_videomode_from_videomode(const struct videomode *vm,
>>>>>         vtotal = vm->vactive + vm->vfront_porch + vm->vback_porch +
>>>>>                  vm->vsync_len;
>>>>>         /* prevent division by zero */
>>>>> -     if (htotal && vtotal) {
>>>>> +     if (htotal && vtotal && (vm->pixelclock / htotal >= vtotal)) {
>>>>
>>>> why don't you then simply check for
>>>>          if .. ((htotal * vtotal) == 0) ...
>>>> instead?
>>>>
>>>> Helge
>>>
>>> Thomas Zimmermann from the previous discussion said:
>>> On Tue, 5 Mar 2024 11:18:05 +0100 Thomas Zimmerman wrote:
>>>> Maybe use
>>>>
>>>>     if (htotal && vtotal && (vm->pixelclock / htotal >= vtotal))
>>>>
>>>> for the test. That rules out overflowing multiplication and sets
>>>> refresh to 0 in such cases.
>>>
>>> This prevents overflow, which is also a problematic case.
>>
>> I don't like adding another division here and I doubt we have
>> a problem with possible overflow.
>> So, I suggest to keep it simple, something like:
>>        ...
>>        total = htotal * vtotal;
>>        if (total)
>>                fbmode->refresh = vm->pixelclock / total;
>>        else...
> 
> Okay, I'll prepare a third version with that change:
> 
>     if (htotal && vtotal && (htotal * vtotal))

   I think the 1st 2 checks here are now redundant. Also, the inner
parens are not necessary...

> I think that will be enough.

   More than enough. :-)

MBR, Sergey

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ