From patchwork Fri Oct 14 00:00:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Cabaj X-Patchwork-Id: 1689830 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=KOoPip5M; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MpRPJ2mXbz23jc for ; Fri, 14 Oct 2022 11:01:08 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1oj88K-0007j3-A7; Fri, 14 Oct 2022 00:01:00 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1oj88I-0007hs-L4 for kernel-team@lists.ubuntu.com; Fri, 14 Oct 2022 00:00:58 +0000 Received: from mail-io1-f71.google.com (mail-io1-f71.google.com [209.85.166.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 5AFE13F116 for ; Fri, 14 Oct 2022 00:00:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1665705658; bh=vqRbhaNmFb9wjp2HE/XgCFAsouA5cDJyznbg1Yi7KOc=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=KOoPip5Me/1JlZ1zXkw/HKnO9f3poHire1900CvsAKvPnL5VIqIsAKONqWrsEB9ST t6sT5CrQRPS0ujxG20T/C297DC7XDZovIITlR6FUCEF7eEyxDkh5aYRc6+fKwNI2pZ BaqCrILqSgFMEu4HmyX/KOmRpK494oJAErUEkhmJRJdeUlyzpfMLVOUl80o3PZZW2v sjPvGWyPHs5rEvzlcYw7XecnH2Acl4vN7ZgpWBObf8Cy7mwbBAtjOpcXsR8KPsuuB9 Ghy3WAQKVU4FtTgRtCGEng+sAJpMz+a2bNSoSzcSEj4l2tusAp4G8GCM2pk/MKa0sH 0D9d3SzIBFb7A== Received: by mail-io1-f71.google.com with SMTP id t15-20020a5d81cf000000b006bc1ca3ae00so2147849iol.10 for ; Thu, 13 Oct 2022 17:00:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=vqRbhaNmFb9wjp2HE/XgCFAsouA5cDJyznbg1Yi7KOc=; b=zK9jjlRRopv9xCquAl+5cnRJ7cmprFe35Yg0VDodpCnQpMdIsq202fR7yXAb+GSCco nsCc+y2BBru6JzU5XIy+iq0tEASXVPmuzWXAXybVEqy35uXH0if39EKpg1Y1VnDC8cHE CrZQpmQDMYqWiMdrHGqkHfR42OvQVZykUtEZwv0jgsCBlaGolgeDiAxzW4iHaXqGqFRQ Ql/7DQQkpbPBGdXIrCZM+uNL3rIY6OLPQhKK3YLVlyPQJYgbRlZh1TA2+STZo99nYTZv rlhBCPvDRUfYcBAbLwe90kR7TzVI21/um1m9rw1//VdfiHH28jvhxER2vlW1z2hIKfNv Cssw== X-Gm-Message-State: ACrzQf0na9vdGwRY4TBVXQwAc+oJoLEwdeGOAnRjgOA/lE2gH69//mYl QyPyx3yac2TSqV8PdXMN1FBpfeJP5unsU7QDZgLRM5F3DtG98FKSHcjulAGPaf7RQDw9AiiyaOO Gje01u6jQIWWo05QYL/c6SDtNozwptxxqdCVe7U7kwg== X-Received: by 2002:a05:6e02:164c:b0:2fc:681a:6aad with SMTP id v12-20020a056e02164c00b002fc681a6aadmr1226571ilu.209.1665705657778; Thu, 13 Oct 2022 17:00:57 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5rqHwIE4pibapW45ACoaNWdl/80OcmlKtaQ8vHg57eXA5/Jknh79GbRgiBlGlBZzBu4JnE1w== X-Received: by 2002:a05:6e02:164c:b0:2fc:681a:6aad with SMTP id v12-20020a056e02164c00b002fc681a6aadmr1226552ilu.209.1665705657422; Thu, 13 Oct 2022 17:00:57 -0700 (PDT) Received: from smtp.gmail.com (068-118-156-024.res.spectrum.com. [68.118.156.24]) by smtp.gmail.com with ESMTPSA id b7-20020a026f47000000b00363b0517662sm525197jae.12.2022.10.13.17.00.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 17:00:57 -0700 (PDT) From: John Cabaj To: kernel-team@lists.ubuntu.com Subject: [SRU][Bionic][PATCH 1/1](upstream) video: fbdev: i740fb: Error out if 'pixclock' equals zero Date: Thu, 13 Oct 2022 19:00:56 -0500 Message-Id: <20221014000056.176658-1-john.cabaj@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Zheyu Ma CVE-2022-3061 The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero in the function i740fb_check_var(). The following log reveals it: divide error: 0000 [#1] PREEMPT SMP KASAN PTI RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:444 [inline] RIP: 0010:i740fb_set_par+0x272f/0x3bb0 drivers/video/fbdev/i740fb.c:739 Call Trace: fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1036 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1112 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] Signed-off-by: Zheyu Ma Signed-off-by: Helge Deller (cherry picked from commit 15cf0b82271b1823fb02ab8c377badba614d95d5) Signed-off-by: John Cabaj --- drivers/video/fbdev/i740fb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c index 4147a9534179..e7e0445b0808 100644 --- a/drivers/video/fbdev/i740fb.c +++ b/drivers/video/fbdev/i740fb.c @@ -660,6 +660,9 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var, static int i740fb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) { + if (!var->pixclock) + return -EINVAL; + switch (var->bits_per_pixel) { case 8: var->red.offset = var->green.offset = var->blue.offset = 0;