linux-fbdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] video: fbdev: sis: catch out of bounds in SiS_DoCalcDelay
@ 2021-02-28  5:30 Tong Zhang
  0 siblings, 0 replies; only message in thread
From: Tong Zhang @ 2021-02-28  5:30 UTC (permalink / raw)
  To: Thomas Winischhofer, dri-devel, linux-fbdev, linux-kernel; +Cc: ztong0001

idx1 is read from hardware and the range is [0, 30],
the size of ThLowA and ThLowB is 24, so there could possibly an out of
bounds access. This patch catches the OOB access and print a warning.

[    4.771691] ==================================================================
[    4.771693] BUG: KASAN: global-out-of-bounds in SiS_DoCalcDelay+0xa9/0x160 [sisfb]
[    4.771718] Read of size 1 at addr ffffffffc0048b1f by task modprobe/96
[    4.771722] CPU: 0 PID: 96 Comm: modprobe Not tainted 5.11.0-rc7 #92
[    4.771727] Call Trace:
[    4.771729]  dump_stack+0x7d/0xa3
[    4.771733]  print_address_description.constprop.0+0x1a/0x140
[    4.771738]  ? SiS_DoCalcDelay+0xa9/0x160 [sisfb]
[    4.771760]  ? SiS_DoCalcDelay+0xa9/0x160 [sisfb]
[    4.771782]  kasan_report.cold+0x7f/0x10e
[    4.771786]  ? SiS_DoCalcDelay+0xa9/0x160 [sisfb]
[    4.771808]  SiS_DoCalcDelay+0xa9/0x160 [sisfb]
[    4.771830]  ? SiS_GetFIFOThresholdIndex300+0xb0/0xb0 [sisfb]
[    4.771853]  ? sisfb_probe.cold+0x3a0f/0x4f7d [sisfb]
[    4.771876]  ? SiS_GetRefCRTVCLK+0x6c/0x80 [sisfb]
[    4.771900]  ? SiS_GetVCLK2Ptr+0x28b/0x800 [sisfb]
[    4.771923]  SiSSetMode+0x26de/0x4770 [sisfb]
[    4.771946]  ? SiS_LoadDAC+0x3e0/0x3e0 [sisfb]
[    4.771968]  ? ___slab_alloc+0x412/0x5d0
[    4.771971]  ? set_inverse_trans_unicode.isra.0+0x147/0x170
[    4.771975]  ? sisfb_syncaccel+0x12f/0x140 [sisfb]
[    4.771998]  sisfb_set_mode.isra.0+0x264/0x12b0 [sisfb]
[    4.772020]  ? kasan_module_alloc+0x5f/0xc0
[    4.772023]  sisfb_set_par+0x3b3/0x930 [sisfb]
[    4.772046]  fbcon_init+0x447/0x980
[    4.772049]  ? sisfb_probe+0x1490/0x1490 [sisfb]
[    4.772071]  visual_init+0x182/0x240
[    4.772074]  do_bind_con_driver+0x2db/0x460
[    4.772078]  do_take_over_console+0x205/0x280
[    4.772082]  do_fbcon_takeover+0x80/0x100
[    4.772085]  register_framebuffer+0x301/0x4c0
[    4.772088]  ? do_remove_conflicting_framebuffers+0xf0/0xf0
[    4.772092]  ? fb_copy_cmap+0x10b/0x160
[    4.772096]  sisfb_probe.cold+0x2fca/0x4f7d [sisfb]
[    4.772120]  ? rpm_resume+0x1cd/0xac0
[    4.772124]  ? sisfb_check_var+0x990/0x990 [sisfb]
[    4.772146]  ? pm_runtime_get_if_active+0x190/0x190
[    4.772150]  ? _raw_spin_lock_irqsave+0x7b/0xd0
[    4.772154]  ? _raw_spin_lock_irqsave+0x7b/0xd0
[    4.772157]  ? __mutex_lock_slowpath+0x10/0x10
[    4.772161]  ? sisfb_check_var+0x990/0x990 [sisfb]
[    4.772183]  local_pci_probe+0x6f/0xb0
[    4.772349] The buggy address belongs to the variable:
[    4.772350]  ThLowA.47581+0x1f/0xffffffffffff9500 [sisfb]
[    4.772373]
[    4.772373] Memory state around the buggy address:
[    4.772375]  ffffffffc0048a00: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
[    4.772377]  ffffffffc0048a80: 00 00 05 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
[    4.772379] >ffffffffc0048b00: 00 00 00 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
[    4.772380]                             ^
[    4.772382]  ffffffffc0048b80: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 07 f9 f9
[    4.772384]  ffffffffc0048c00: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9
[    4.772385] ==================================================================

Signed-off-by: Tong Zhang <ztong0001@gmail.com>
---
 drivers/video/fbdev/sis/init.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/video/fbdev/sis/init.c b/drivers/video/fbdev/sis/init.c
index b568c646a76c..fb9815e7af4b 100644
--- a/drivers/video/fbdev/sis/init.c
+++ b/drivers/video/fbdev/sis/init.c
@@ -2249,6 +2249,10 @@ SiS_GetFIFOThresholdA300(unsigned short idx1, unsigned short idx2)
 		34, 3,37, 5,47, 7, 67,11
    };
 
+   if (idx1>22) {
+     printk(KERN_WARNING "idx1 out of bounds: %d\n", idx1);
+     idx1 = 22;
+   }
    return (unsigned short)((ThLowA[idx1 + 1] * idx2) + ThLowA[idx1]);
 }
 
@@ -2261,6 +2265,10 @@ SiS_GetFIFOThresholdB300(unsigned short idx1, unsigned short idx2)
 		42, 4,45, 6,55, 8, 75,12
    };
 
+   if (idx1>22) {
+     printk(KERN_WARNING "idx1 out of bounds: %d\n", idx1);
+     idx1 = 22;
+   }
    return (unsigned short)((ThLowB[idx1 + 1] * idx2) + ThLowB[idx1]);
 }
 
-- 
2.25.1


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2021-02-28  5:31 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-28  5:30 [PATCH] video: fbdev: sis: catch out of bounds in SiS_DoCalcDelay Tong Zhang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).