From patchwork Fri Oct 14 15:04:34 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John Cabaj <john.cabaj@canonical.com>
X-Patchwork-Id: 1690067
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=c1peBwvG;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4MpqS865pGz1yqk
	for <incoming@patchwork.ozlabs.org>; Sat, 15 Oct 2022 02:04:55 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1ojMEp-0001bj-25; Fri, 14 Oct 2022 15:04:39 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <john.cabaj@canonical.com>) id 1ojMEn-0001bb-OV
 for kernel-team@lists.ubuntu.com; Fri, 14 Oct 2022 15:04:37 +0000
Received: from mail-il1-f198.google.com (mail-il1-f198.google.com
 [209.85.166.198])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 9A1653F472
 for <kernel-team@lists.ubuntu.com>; Fri, 14 Oct 2022 15:04:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1665759877;
 bh=zvgm6RTqU2cEqDpw37sqhEQvCuNc+u5nNPVRr2KnchA=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=c1peBwvGOJfwX3hYwRbFAIuzk9TqzmzVVo9eF2QukZwEsBTdFFp7eD2teMLTq5gQd
 jrDwWRVlKLKChI57hcpLNHU+dYluKN8jftr4oWN+Cu9ZeCM6DkI5U3S/l63e1LikTh
 aWqBpl8ZVxLGN3xKgrjOQeoLvJUIA5ry1lmSFPxbNleAIyVvQdZskPGLg2uJtRLgcx
 +8DB2A6nanzSPtxPnDeTPPOHpNYZNHoYc++aIXAXh038KcTnBw+Bil7j7U2ODmw4JL
 VUPQ0UU0FLlJN93tPzcIPFPFFZOT2CKvnf97k9niei94PVpp/6KEcIE1YVWi4q2jm1
 sCQIPX74GGBSw==
Received: by mail-il1-f198.google.com with SMTP id
 b7-20020a92c567000000b002fb9207838bso4093079ilj.23
 for <kernel-team@lists.ubuntu.com>; Fri, 14 Oct 2022 08:04:37 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=zvgm6RTqU2cEqDpw37sqhEQvCuNc+u5nNPVRr2KnchA=;
 b=RVpP8DvspCGA1XvJP5dSSjto5O1NDPZLHJC0BW8wgrSE2dK6gzVqZLOYFEuTbebdL9
 JK1STocjGuLc4YMkpNGqrxPT+ptrnX/iiWxlID76xb19dpZ1iHQNSWjhsuZHRv3x4ZYz
 Ed54WofaDhwtWaznGAVNFJTm7Gld9pm9TYmjvq6K2BPn/A/DXnpN/7TVC8f8LojBy3BX
 IVwFZbQtBNesoRDAk4HpBK/YfbTVJJbPSq8q4jNcnSixUIZXEtjFIEGO4KroMHgKQ2E5
 +VTt4IWu1FC4lo2J+gXOYYkXAtfjBXjecohm4if/onkM+M7BZx9vSWnlRBw0bFoTkudo
 W9WA==
X-Gm-Message-State: ACrzQf2QkjCP5FhKNaumwBef4yg7YNl6IEbGGK/CEBqSrK6LVvTf11nw
 sKB8YrynMzSx8ArRUf3gwXqpq9nVMkmowL4PEjBu2VXCH86amriEMLZqR6LxOIawZkF5vTuvzpt
 5gwY7gU7yk1KGzDsAmUyz6qwQQo/lobhGFUOJoxHQ9w==
X-Received: by 2002:a05:6e02:ef0:b0:2f9:4403:8d28 with SMTP id
 j16-20020a056e020ef000b002f944038d28mr2600171ilk.193.1665759876296;
 Fri, 14 Oct 2022 08:04:36 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM7KGFP/zpeIhnHmlwBKT+CtUdM/JDa2HKp8uQlhqEQePmbi9gL2YB48eHZOkSsFE/lKLSFF6w==
X-Received: by 2002:a05:6e02:ef0:b0:2f9:4403:8d28 with SMTP id
 j16-20020a056e020ef000b002f944038d28mr2600159ilk.193.1665759876037;
 Fri, 14 Oct 2022 08:04:36 -0700 (PDT)
Received: from smtp.gmail.com (068-118-156-024.res.spectrum.com.
 [68.118.156.24]) by smtp.gmail.com with ESMTPSA id
 g17-20020a0566380bd100b0035837e7cff8sm1199763jad.143.2022.10.14.08.04.35
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 14 Oct 2022 08:04:35 -0700 (PDT)
From: John Cabaj <john.cabaj@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][J/F/B][PATCH 1/1] video: fbdev: i740fb: Error out if 'pixclock'
 equals zero
Date: Fri, 14 Oct 2022 10:04:34 -0500
Message-Id: <20221014150434.8465-1-john.cabaj@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20221014150402.8441-1-john.cabaj@canonical.com>
References: <20221014150402.8441-1-john.cabaj@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Zheyu Ma <zheyuma97@gmail.com>

CVE-2022-3061

The userspace program could pass any values to the driver through
ioctl() interface. If the driver doesn't check the value of 'pixclock',
it may cause divide error.

Fix this by checking whether 'pixclock' is zero in the function
i740fb_check_var().

The following log reveals it:

divide error: 0000 [#1] PREEMPT SMP KASAN PTI
RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:444 [inline]
RIP: 0010:i740fb_set_par+0x272f/0x3bb0 drivers/video/fbdev/i740fb.c:739
Call Trace:
    fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1036
    do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1112
    fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:874 [inline]

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 15cf0b82271b1823fb02ab8c377badba614d95d5)
Signed-off-by: John Cabaj <john.cabaj@canonical.com>
Acked-by: Khalid Elmously <khalid.elmously@canonical.com>
Acked-by: Cory Todd <cory.todd@canonical.com>
---
 drivers/video/fbdev/i740fb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c
index ad5ced4ef972..8fb4e01e1943 100644
--- a/drivers/video/fbdev/i740fb.c
+++ b/drivers/video/fbdev/i740fb.c
@@ -662,6 +662,9 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var,
 
 static int i740fb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
 {
+	if (!var->pixclock)
+		return -EINVAL;
+
 	switch (var->bits_per_pixel) {
 	case 8:
 		var->red.offset	= var->green.offset = var->blue.offset = 0;