From patchwork Fri Oct 14 00:00:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Cabaj X-Patchwork-Id: 1689829 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=kmllz47L; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MpRPG1v5mz23jc for ; Fri, 14 Oct 2022 11:01:06 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1oj88I-0007hM-0l; Fri, 14 Oct 2022 00:00:58 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1oj88E-0007g8-RZ for kernel-team@lists.ubuntu.com; Fri, 14 Oct 2022 00:00:54 +0000 Received: from mail-io1-f71.google.com (mail-io1-f71.google.com [209.85.166.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 991B33F116 for ; Fri, 14 Oct 2022 00:00:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1665705654; bh=xqBroD0/DSnhwgIKJRj8qxWTRb7sAlKlSb2xUhur5Xk=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=kmllz47LlXgUes1bvYlngI8tzecgeFGq04dfSuCkfjV0EB/+4d/eGMKJgKEFrdBN4 +aYAPT3bBkHj3bbOyFdQYgBe1OnTHu2TsgBf4EEfMAazTNRlf3bA9PxdFYUtLS5Y8v DaGAxzJlYH9ZbPvq79shuozX38WeWAhVRrZqzpwcNIMiMiJZjBFaaaVAktWaFDvpEj uUrW3ZZpelwJGT8P4vO+WNmAJwKuC3ppLfbLQOr/Po/EswAju1cK7Q+xkmIPOAo0Rj d4M9YrNMpq2sFxaGUqFoO3x7TzLBYxo9S2kz+Rgy4GI2QHc0afxLsPCi3MjW0/HgCq NUp/0L5yH3mlQ== Received: by mail-io1-f71.google.com with SMTP id t15-20020a5d81cf000000b006bc1ca3ae00so2147667iol.10 for ; Thu, 13 Oct 2022 17:00:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=xqBroD0/DSnhwgIKJRj8qxWTRb7sAlKlSb2xUhur5Xk=; b=cmO07VosywXtradEVnK9T1LQUBSI0xOCKvIi+Lf3dIH9OeMbOKFJwklEqIn+2ewQs8 87qJe6lYGG7fhaoyb3HfG27CbtM68I0PHbtjExPnsJAKzmN5/5eAbi0Y37Hgc2ZajaG8 kSb2Fv9x7jnIHAYKXfhPQI3ZttaReqhI+ePZ0/BpSIMFJUyMn2qt/gqM6AKzzSj8XgOg gWRqCqgh0NibIjibU2WQrS/kOVwgK9LFmSXjEwEcUlLplAEvhBMDjyFbc2CmLhGiHu9M dDtDsgIOzq3DCCUao5oEUfeL+drqaalfH7UpGzFU3sp68ssJT2GVyQzg+AIXg3lZnIQF HDDg== X-Gm-Message-State: ACrzQf3f3E2waMoHuxYEjF0ktsB22fCOKEV+FF6Hbk0sZLYZFirKttW3 8vmKcFv2KxfMC+weClyzawmRTT/j6PYTIkFeTx1YHMr+Ffc5KhAoD6mE+RADoCiFMVmTPsh0iHs jX7sh2+vTmwDAmUPDKlHDhNzaIj/p7eHbAUXrSUBuGg== X-Received: by 2002:a05:6638:1449:b0:35a:70ce:8a3f with SMTP id l9-20020a056638144900b0035a70ce8a3fmr1317807jad.42.1665705653355; Thu, 13 Oct 2022 17:00:53 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7QmNZEVmEv/PYARHjngQLeAAPAbJURh/KMVzWpvteRYiEZJG6XVPVCwm10y05APRR9jqTxOw== X-Received: by 2002:a05:6638:1449:b0:35a:70ce:8a3f with SMTP id l9-20020a056638144900b0035a70ce8a3fmr1317801jad.42.1665705653137; Thu, 13 Oct 2022 17:00:53 -0700 (PDT) Received: from smtp.gmail.com (068-118-156-024.res.spectrum.com. [68.118.156.24]) by smtp.gmail.com with ESMTPSA id w15-20020a92ad0f000000b002eb13760b7asm364454ilh.49.2022.10.13.17.00.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 17:00:52 -0700 (PDT) From: John Cabaj To: kernel-team@lists.ubuntu.com Subject: [SRU][Focal][PATCH 1/1](upstream) video: fbdev: i740fb: Error out if 'pixclock' equals zero Date: Thu, 13 Oct 2022 19:00:51 -0500 Message-Id: <20221014000051.176638-1-john.cabaj@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Zheyu Ma CVE-2022-3061 The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero in the function i740fb_check_var(). The following log reveals it: divide error: 0000 [#1] PREEMPT SMP KASAN PTI RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:444 [inline] RIP: 0010:i740fb_set_par+0x272f/0x3bb0 drivers/video/fbdev/i740fb.c:739 Call Trace: fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1036 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1112 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] Signed-off-by: Zheyu Ma Signed-off-by: Helge Deller (cherry picked from commit 15cf0b82271b1823fb02ab8c377badba614d95d5) Signed-off-by: John Cabaj --- drivers/video/fbdev/i740fb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c index 1434eb0220e7..b61574a4009f 100644 --- a/drivers/video/fbdev/i740fb.c +++ b/drivers/video/fbdev/i740fb.c @@ -662,6 +662,9 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var, static int i740fb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) { + if (!var->pixclock) + return -EINVAL; + switch (var->bits_per_pixel) { case 8: var->red.offset = var->green.offset = var->blue.offset = 0;