From: Yizhuo Zhai <yzhai003@ucr.edu> To: unlisted-recipients:; (no To-header on input) Cc: Yizhuo Zhai <yzhai003@ucr.edu>, Helge Deller <deller@gmx.de>, Daniel Vetter <daniel.vetter@ffwll.ch>, Matthew Wilcox <willy@infradead.org>, Sam Ravnborg <sam@ravnborg.org>, Xiyu Yang <xiyuyang19@fudan.edu.cn>, Guenter Roeck <linux@roeck-us.net>, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>, Alex Deucher <alexander.deucher@amd.com>, Zhen Lei <thunder.leizhen@huawei.com>, Zheyu Ma <zheyuma97@gmail.com>, linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: [PATCH v6] fbdev: fbmem: Fix the implicit type casting Date: Wed, 2 Feb 2022 15:58:09 -0800 [thread overview] Message-ID: <20220202235811.1621017-2-yzhai003@ucr.edu> (raw) In-Reply-To: <20220202235811.1621017-1-yzhai003@ucr.edu> In function do_fb_ioctl(), the "arg" is the type of unsigned long, and in "case FBIOBLANK:" this argument is casted into an int before passig to fb_blank(). In fb_blank(), the comparision if (blank > FB_BLANK_POWERDOWN) would be bypass if the original "arg" is a large number, which is possible because it comes from the user input. Fix this by adding the check before the function call. Signed-off-by: Yizhuo Zhai <yzhai003@ucr.edu> --- drivers/video/fbdev/core/fbmem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 0fa7ede94fa6..13083ad8d751 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1160,6 +1160,8 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, ret = fbcon_set_con2fb_map_ioctl(argp); break; case FBIOBLANK: + if (arg > FB_BLANK_POWERDOWN) + return -EINVAL; console_lock(); lock_fb_info(info); ret = fb_blank(info, arg); -- 2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Yizhuo Zhai <yzhai003@ucr.edu> Cc: linux-fbdev@vger.kernel.org, Xiyu Yang <xiyuyang19@fudan.edu.cn>, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>, Daniel Vetter <daniel.vetter@ffwll.ch>, Helge Deller <deller@gmx.de>, Zheyu Ma <zheyuma97@gmail.com>, linux-kernel@vger.kernel.org, Matthew Wilcox <willy@infradead.org>, Yizhuo Zhai <yzhai003@ucr.edu>, dri-devel@lists.freedesktop.org, Zhen Lei <thunder.leizhen@huawei.com>, Alex Deucher <alexander.deucher@amd.com>, Sam Ravnborg <sam@ravnborg.org>, Guenter Roeck <linux@roeck-us.net> Subject: [PATCH v6] fbdev: fbmem: Fix the implicit type casting Date: Wed, 2 Feb 2022 15:58:09 -0800 [thread overview] Message-ID: <20220202235811.1621017-2-yzhai003@ucr.edu> (raw) In-Reply-To: <20220202235811.1621017-1-yzhai003@ucr.edu> In function do_fb_ioctl(), the "arg" is the type of unsigned long, and in "case FBIOBLANK:" this argument is casted into an int before passig to fb_blank(). In fb_blank(), the comparision if (blank > FB_BLANK_POWERDOWN) would be bypass if the original "arg" is a large number, which is possible because it comes from the user input. Fix this by adding the check before the function call. Signed-off-by: Yizhuo Zhai <yzhai003@ucr.edu> --- drivers/video/fbdev/core/fbmem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 0fa7ede94fa6..13083ad8d751 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1160,6 +1160,8 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, ret = fbcon_set_con2fb_map_ioctl(argp); break; case FBIOBLANK: + if (arg > FB_BLANK_POWERDOWN) + return -EINVAL; console_lock(); lock_fb_info(info); ret = fb_blank(info, arg); -- 2.25.1
next prev parent reply other threads:[~2022-02-02 23:58 UTC|newest] Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top [not found] <83e46d8d-ec7a-6cbd-010e-7f50f88dcf96@I-love.SAKURA.ne.jp> 2022-02-02 23:33 ` [PATCH v5] fbdev: fbmem: Fix the implicit type casting Yizhuo Zhai 2022-02-02 23:33 ` Yizhuo Zhai 2022-02-02 23:33 ` Yizhuo Zhai 2022-02-02 23:33 ` Yizhuo Zhai 2022-02-02 23:45 ` Guenter Roeck 2022-02-02 23:45 ` Guenter Roeck 2022-02-02 23:58 ` [PATCH v6] " Yizhuo Zhai 2022-02-02 23:58 ` Yizhuo Zhai 2022-02-02 23:58 ` Yizhuo Zhai [this message] 2022-02-02 23:58 ` Yizhuo Zhai 2022-02-03 1:07 ` Guenter Roeck 2022-02-03 1:07 ` Guenter Roeck 2022-02-03 6:39 ` Sam Ravnborg 2022-02-03 6:39 ` Sam Ravnborg 2022-02-03 8:18 ` Helge Deller 2022-02-03 8:18 ` Helge Deller 2022-02-03 12:51 ` Daniel Vetter 2022-02-03 12:51 ` Daniel Vetter
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20220202235811.1621017-2-yzhai003@ucr.edu \ --to=yzhai003@ucr.edu \ --cc=alexander.deucher@amd.com \ --cc=daniel.vetter@ffwll.ch \ --cc=deller@gmx.de \ --cc=dri-devel@lists.freedesktop.org \ --cc=linux-fbdev@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux@roeck-us.net \ --cc=penguin-kernel@i-love.sakura.ne.jp \ --cc=sam@ravnborg.org \ --cc=thunder.leizhen@huawei.com \ --cc=willy@infradead.org \ --cc=xiyuyang19@fudan.edu.cn \ --cc=zheyuma97@gmail.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.