From: David Laight <David.Laight@ACULAB.COM> To: 'Yizhuo Zhai' <yzhai003@ucr.edu> Cc: Helge Deller <deller@gmx.de>, Daniel Vetter <daniel.vetter@ffwll.ch>, Matthew Wilcox <willy@infradead.org>, Sam Ravnborg <sam@ravnborg.org>, "Zhen Lei" <thunder.leizhen@huawei.com>, Guenter Roeck <linux@roeck-us.net>, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>, Zheyu Ma <zheyuma97@gmail.com>, Alex Deucher <alexander.deucher@amd.com>, Xiyu Yang <xiyuyang19@fudan.edu.cn>, "linux-fbdev@vger.kernel.org" <linux-fbdev@vger.kernel.org>, "dri-devel@lists.freedesktop.org" <dri-devel@lists.freedesktop.org>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org> Subject: RE: [PATCH v2] fbdev: fbmem: Fix the implicit type casting Date: Wed, 2 Feb 2022 09:02:52 +0000 [thread overview] Message-ID: <5286c6acac7c4ee598f6fa4a7ea04b86@AcuMS.aculab.com> (raw) In-Reply-To: <20220201023559.2622144-1-yzhai003@ucr.edu> From: Yizhuo Zhai > Sent: 01 February 2022 02:36 > > In function do_fb_ioctl(), the "arg" is the type of unsigned long, > and in "case FBIOBLANK:" this argument is casted into an int before > passig to fb_blank(). In fb_blank(), the comparision > if (blank > FB_BLANK_POWERDOWN) would be bypass if the original > "arg" is a large number, which is possible because it comes from > the user input. Fix this by adding the check before the function > call. Doesn't this convert invalid values (> FB_BLANK_POWERDOWN) that should generate errors into valid requests? David > > Signed-off-by: Yizhuo Zhai <yzhai003@ucr.edu> > --- > drivers/video/fbdev/core/fbmem.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c > index 0fa7ede94fa6..f08326efff54 100644 > --- a/drivers/video/fbdev/core/fbmem.c > +++ b/drivers/video/fbdev/core/fbmem.c > @@ -1162,6 +1162,8 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, > case FBIOBLANK: > console_lock(); > lock_fb_info(info); > + if (blank > FB_BLANK_POWERDOWN) > + blank = FB_BLANK_POWERDOWN; > ret = fb_blank(info, arg); > /* might again call into fb_blank */ > fbcon_fb_blanked(info, arg); > -- > 2.25.1 - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
WARNING: multiple messages have this Message-ID (diff)
From: David Laight <David.Laight@ACULAB.COM> To: 'Yizhuo Zhai' <yzhai003@ucr.edu> Cc: "linux-fbdev@vger.kernel.org" <linux-fbdev@vger.kernel.org>, Xiyu Yang <xiyuyang19@fudan.edu.cn>, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>, Daniel Vetter <daniel.vetter@ffwll.ch>, Helge Deller <deller@gmx.de>, Zheyu Ma <zheyuma97@gmail.com>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, Matthew Wilcox <willy@infradead.org>, "dri-devel@lists.freedesktop.org" <dri-devel@lists.freedesktop.org>, Zhen Lei <thunder.leizhen@huawei.com>, Alex Deucher <alexander.deucher@amd.com>, Sam Ravnborg <sam@ravnborg.org>, Guenter Roeck <linux@roeck-us.net> Subject: RE: [PATCH v2] fbdev: fbmem: Fix the implicit type casting Date: Wed, 2 Feb 2022 09:02:52 +0000 [thread overview] Message-ID: <5286c6acac7c4ee598f6fa4a7ea04b86@AcuMS.aculab.com> (raw) In-Reply-To: <20220201023559.2622144-1-yzhai003@ucr.edu> From: Yizhuo Zhai > Sent: 01 February 2022 02:36 > > In function do_fb_ioctl(), the "arg" is the type of unsigned long, > and in "case FBIOBLANK:" this argument is casted into an int before > passig to fb_blank(). In fb_blank(), the comparision > if (blank > FB_BLANK_POWERDOWN) would be bypass if the original > "arg" is a large number, which is possible because it comes from > the user input. Fix this by adding the check before the function > call. Doesn't this convert invalid values (> FB_BLANK_POWERDOWN) that should generate errors into valid requests? David > > Signed-off-by: Yizhuo Zhai <yzhai003@ucr.edu> > --- > drivers/video/fbdev/core/fbmem.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c > index 0fa7ede94fa6..f08326efff54 100644 > --- a/drivers/video/fbdev/core/fbmem.c > +++ b/drivers/video/fbdev/core/fbmem.c > @@ -1162,6 +1162,8 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, > case FBIOBLANK: > console_lock(); > lock_fb_info(info); > + if (blank > FB_BLANK_POWERDOWN) > + blank = FB_BLANK_POWERDOWN; > ret = fb_blank(info, arg); > /* might again call into fb_blank */ > fbcon_fb_blanked(info, arg); > -- > 2.25.1 - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
next prev parent reply other threads:[~2022-02-02 9:03 UTC|newest] Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-01-31 6:57 [PATCH] fbdev: fbmem: Fix the implicit type casting Yizhuo Zhai 2022-01-31 6:57 ` Yizhuo Zhai 2022-01-31 10:55 ` kernel test robot 2022-01-31 10:55 ` kernel test robot 2022-01-31 10:55 ` kernel test robot 2022-01-31 11:36 ` kernel test robot 2022-01-31 11:36 ` kernel test robot 2022-01-31 11:36 ` kernel test robot 2022-01-31 12:27 ` kernel test robot 2022-01-31 12:27 ` kernel test robot 2022-01-31 12:27 ` kernel test robot 2022-02-01 2:35 ` [PATCH v2] " Yizhuo Zhai 2022-02-01 2:35 ` Yizhuo Zhai 2022-02-02 9:02 ` David Laight [this message] 2022-02-02 9:02 ` David Laight 2022-02-01 15:02 ` [PATCH] " Helge Deller 2022-02-01 15:02 ` Helge Deller 2022-02-01 22:37 ` Yizhuo Zhai 2022-02-02 17:27 ` Sam Ravnborg 2022-02-02 17:27 ` Sam Ravnborg 2022-02-02 17:36 ` Helge Deller 2022-02-02 17:36 ` Helge Deller 2022-02-02 22:58 ` Yizhuo Zhai 2022-02-02 23:16 ` [PATCH v4] " Yizhuo Zhai 2022-02-02 23:16 ` Yizhuo Zhai 2022-02-02 23:16 ` Yizhuo Zhai 2022-02-02 23:16 ` Yizhuo Zhai
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=5286c6acac7c4ee598f6fa4a7ea04b86@AcuMS.aculab.com \ --to=david.laight@aculab.com \ --cc=alexander.deucher@amd.com \ --cc=daniel.vetter@ffwll.ch \ --cc=deller@gmx.de \ --cc=dri-devel@lists.freedesktop.org \ --cc=linux-fbdev@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux@roeck-us.net \ --cc=penguin-kernel@i-love.sakura.ne.jp \ --cc=sam@ravnborg.org \ --cc=thunder.leizhen@huawei.com \ --cc=willy@infradead.org \ --cc=xiyuyang19@fudan.edu.cn \ --cc=yzhai003@ucr.edu \ --cc=zheyuma97@gmail.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.