From: David Laight <David.Laight@ACULAB.COM>
To: 'Yizhuo Zhai' <yzhai003@ucr.edu>
Cc: Helge Deller <deller@gmx.de>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
Matthew Wilcox <willy@infradead.org>,
Sam Ravnborg <sam@ravnborg.org>,
"Zhen Lei" <thunder.leizhen@huawei.com>,
Guenter Roeck <linux@roeck-us.net>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Zheyu Ma <zheyuma97@gmail.com>,
Alex Deucher <alexander.deucher@amd.com>,
Xiyu Yang <xiyuyang19@fudan.edu.cn>,
"linux-fbdev@vger.kernel.org" <linux-fbdev@vger.kernel.org>,
"dri-devel@lists.freedesktop.org"
<dri-devel@lists.freedesktop.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: [PATCH v2] fbdev: fbmem: Fix the implicit type casting
Date: Wed, 2 Feb 2022 09:02:52 +0000 [thread overview]
Message-ID: <5286c6acac7c4ee598f6fa4a7ea04b86@AcuMS.aculab.com> (raw)
In-Reply-To: <20220201023559.2622144-1-yzhai003@ucr.edu>
From: Yizhuo Zhai
> Sent: 01 February 2022 02:36
>
> In function do_fb_ioctl(), the "arg" is the type of unsigned long,
> and in "case FBIOBLANK:" this argument is casted into an int before
> passig to fb_blank(). In fb_blank(), the comparision
> if (blank > FB_BLANK_POWERDOWN) would be bypass if the original
> "arg" is a large number, which is possible because it comes from
> the user input. Fix this by adding the check before the function
> call.
Doesn't this convert invalid values (> FB_BLANK_POWERDOWN)
that should generate errors into valid requests?
David
>
> Signed-off-by: Yizhuo Zhai <yzhai003@ucr.edu>
> ---
> drivers/video/fbdev/core/fbmem.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
> index 0fa7ede94fa6..f08326efff54 100644
> --- a/drivers/video/fbdev/core/fbmem.c
> +++ b/drivers/video/fbdev/core/fbmem.c
> @@ -1162,6 +1162,8 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
> case FBIOBLANK:
> console_lock();
> lock_fb_info(info);
> + if (blank > FB_BLANK_POWERDOWN)
> + blank = FB_BLANK_POWERDOWN;
> ret = fb_blank(info, arg);
> /* might again call into fb_blank */
> fbcon_fb_blanked(info, arg);
> --
> 2.25.1
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
WARNING: multiple messages have this Message-ID (diff)
From: David Laight <David.Laight@ACULAB.COM>
To: 'Yizhuo Zhai' <yzhai003@ucr.edu>
Cc: "linux-fbdev@vger.kernel.org" <linux-fbdev@vger.kernel.org>,
Xiyu Yang <xiyuyang19@fudan.edu.cn>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
Helge Deller <deller@gmx.de>, Zheyu Ma <zheyuma97@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Matthew Wilcox <willy@infradead.org>,
"dri-devel@lists.freedesktop.org"
<dri-devel@lists.freedesktop.org>,
Zhen Lei <thunder.leizhen@huawei.com>,
Alex Deucher <alexander.deucher@amd.com>,
Sam Ravnborg <sam@ravnborg.org>,
Guenter Roeck <linux@roeck-us.net>
Subject: RE: [PATCH v2] fbdev: fbmem: Fix the implicit type casting
Date: Wed, 2 Feb 2022 09:02:52 +0000 [thread overview]
Message-ID: <5286c6acac7c4ee598f6fa4a7ea04b86@AcuMS.aculab.com> (raw)
In-Reply-To: <20220201023559.2622144-1-yzhai003@ucr.edu>
From: Yizhuo Zhai
> Sent: 01 February 2022 02:36
>
> In function do_fb_ioctl(), the "arg" is the type of unsigned long,
> and in "case FBIOBLANK:" this argument is casted into an int before
> passig to fb_blank(). In fb_blank(), the comparision
> if (blank > FB_BLANK_POWERDOWN) would be bypass if the original
> "arg" is a large number, which is possible because it comes from
> the user input. Fix this by adding the check before the function
> call.
Doesn't this convert invalid values (> FB_BLANK_POWERDOWN)
that should generate errors into valid requests?
David
>
> Signed-off-by: Yizhuo Zhai <yzhai003@ucr.edu>
> ---
> drivers/video/fbdev/core/fbmem.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
> index 0fa7ede94fa6..f08326efff54 100644
> --- a/drivers/video/fbdev/core/fbmem.c
> +++ b/drivers/video/fbdev/core/fbmem.c
> @@ -1162,6 +1162,8 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
> case FBIOBLANK:
> console_lock();
> lock_fb_info(info);
> + if (blank > FB_BLANK_POWERDOWN)
> + blank = FB_BLANK_POWERDOWN;
> ret = fb_blank(info, arg);
> /* might again call into fb_blank */
> fbcon_fb_blanked(info, arg);
> --
> 2.25.1
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
next prev parent reply other threads:[~2022-02-02 9:03 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-31 6:57 [PATCH] fbdev: fbmem: Fix the implicit type casting Yizhuo Zhai
2022-01-31 6:57 ` Yizhuo Zhai
2022-01-31 10:55 ` kernel test robot
2022-01-31 10:55 ` kernel test robot
2022-01-31 10:55 ` kernel test robot
2022-01-31 11:36 ` kernel test robot
2022-01-31 11:36 ` kernel test robot
2022-01-31 11:36 ` kernel test robot
2022-01-31 12:27 ` kernel test robot
2022-01-31 12:27 ` kernel test robot
2022-01-31 12:27 ` kernel test robot
2022-02-01 2:35 ` [PATCH v2] " Yizhuo Zhai
2022-02-01 2:35 ` Yizhuo Zhai
2022-02-02 9:02 ` David Laight [this message]
2022-02-02 9:02 ` David Laight
2022-02-01 15:02 ` [PATCH] " Helge Deller
2022-02-01 15:02 ` Helge Deller
2022-02-01 22:37 ` Yizhuo Zhai
2022-02-02 17:27 ` Sam Ravnborg
2022-02-02 17:27 ` Sam Ravnborg
2022-02-02 17:36 ` Helge Deller
2022-02-02 17:36 ` Helge Deller
2022-02-02 22:58 ` Yizhuo Zhai
2022-02-02 23:16 ` [PATCH v4] " Yizhuo Zhai
2022-02-02 23:16 ` Yizhuo Zhai
2022-02-02 23:16 ` Yizhuo Zhai
2022-02-02 23:16 ` Yizhuo Zhai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5286c6acac7c4ee598f6fa4a7ea04b86@AcuMS.aculab.com \
--to=david.laight@aculab.com \
--cc=alexander.deucher@amd.com \
--cc=daniel.vetter@ffwll.ch \
--cc=deller@gmx.de \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sam@ravnborg.org \
--cc=thunder.leizhen@huawei.com \
--cc=willy@infradead.org \
--cc=xiyuyang19@fudan.edu.cn \
--cc=yzhai003@ucr.edu \
--cc=zheyuma97@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.