linux-fbdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] fbdev: tgafb: Fix potential divide by zero
@ 2023-03-07 13:08 harperchen
  2023-03-08 22:05 ` Helge Deller
  0 siblings, 1 reply; 5+ messages in thread
From: harperchen @ 2023-03-07 13:08 UTC (permalink / raw)
  To: deller
  Cc: javierm, tzimmermann, wsa+renesas, linux-fbdev, dri-devel,
	linux-kernel, harperchen

fb_set_var would by called when user invokes ioctl with cmd
FBIOPUT_VSCREENINFO. User-provided data would finally reach
tgafb_check_var. In case var->pixclock is assigned to zero,
divide by zero would occur when checking whether reciprocal
of var->pixclock is too high.

Similar crashes have happened in other fbdev drivers. There
is no check and modification on var->pixclock along the call
chain to tgafb_check_var. We believe it could also be triggered
in driver tgafb from user site.

Signed-off-by: harperchen <harperchen1110@gmail.com>
---
 drivers/video/fbdev/tgafb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/video/fbdev/tgafb.c b/drivers/video/fbdev/tgafb.c
index 14d37c49633c..b44004880f0d 100644
--- a/drivers/video/fbdev/tgafb.c
+++ b/drivers/video/fbdev/tgafb.c
@@ -173,6 +173,9 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
 {
 	struct tga_par *par = (struct tga_par *)info->par;
 
+	if (!var->pixclock)
+		return -EINVAL;
+
 	if (par->tga_type == TGA_TYPE_8PLANE) {
 		if (var->bits_per_pixel != 8)
 			return -EINVAL;
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH] fbdev: tgafb: Fix potential divide by zero
  2023-03-07 13:08 [PATCH] fbdev: tgafb: Fix potential divide by zero harperchen
@ 2023-03-08 22:05 ` Helge Deller
  2023-03-09  6:11   ` Wei Chen
  2023-03-09  7:53   ` Jani Nikula
  0 siblings, 2 replies; 5+ messages in thread
From: Helge Deller @ 2023-03-08 22:05 UTC (permalink / raw)
  To: harperchen
  Cc: javierm, tzimmermann, wsa+renesas, linux-fbdev, dri-devel, linux-kernel

On 3/7/23 14:08, harperchen wrote:
> fb_set_var would by called when user invokes ioctl with cmd
> FBIOPUT_VSCREENINFO. User-provided data would finally reach
> tgafb_check_var. In case var->pixclock is assigned to zero,
> divide by zero would occur when checking whether reciprocal
> of var->pixclock is too high.
>
> Similar crashes have happened in other fbdev drivers. There
> is no check and modification on var->pixclock along the call
> chain to tgafb_check_var. We believe it could also be triggered
> in driver tgafb from user site.
>
> Signed-off-by: harperchen <harperchen1110@gmail.com>

Could you provide a real name?
Otherwise applied to fbdev git tree.

Thanks!
Helge

> ---
>   drivers/video/fbdev/tgafb.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/drivers/video/fbdev/tgafb.c b/drivers/video/fbdev/tgafb.c
> index 14d37c49633c..b44004880f0d 100644
> --- a/drivers/video/fbdev/tgafb.c
> +++ b/drivers/video/fbdev/tgafb.c
> @@ -173,6 +173,9 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
>   {
>   	struct tga_par *par = (struct tga_par *)info->par;
>
> +	if (!var->pixclock)
> +		return -EINVAL;
> +
>   	if (par->tga_type == TGA_TYPE_8PLANE) {
>   		if (var->bits_per_pixel != 8)
>   			return -EINVAL;


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] fbdev: tgafb: Fix potential divide by zero
  2023-03-08 22:05 ` Helge Deller
@ 2023-03-09  6:11   ` Wei Chen
  2023-03-09  7:53   ` Jani Nikula
  1 sibling, 0 replies; 5+ messages in thread
From: Wei Chen @ 2023-03-09  6:11 UTC (permalink / raw)
  To: Helge Deller
  Cc: javierm, tzimmermann, wsa+renesas, linux-fbdev, dri-devel, linux-kernel

Dear Helge,

Thank you for the kind words. My real name is Wei Chen.

Please apply this patch to fbdev git tree if it is correct.

Best,
Wei

On Thu, 9 Mar 2023 at 06:05, Helge Deller <deller@gmx.de> wrote:
>
> On 3/7/23 14:08, harperchen wrote:
> > fb_set_var would by called when user invokes ioctl with cmd
> > FBIOPUT_VSCREENINFO. User-provided data would finally reach
> > tgafb_check_var. In case var->pixclock is assigned to zero,
> > divide by zero would occur when checking whether reciprocal
> > of var->pixclock is too high.
> >
> > Similar crashes have happened in other fbdev drivers. There
> > is no check and modification on var->pixclock along the call
> > chain to tgafb_check_var. We believe it could also be triggered
> > in driver tgafb from user site.
> >
> > Signed-off-by: harperchen <harperchen1110@gmail.com>
>
> Could you provide a real name?
> Otherwise applied to fbdev git tree.
>
> Thanks!
> Helge
>
> > ---
> >   drivers/video/fbdev/tgafb.c | 3 +++
> >   1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/video/fbdev/tgafb.c b/drivers/video/fbdev/tgafb.c
> > index 14d37c49633c..b44004880f0d 100644
> > --- a/drivers/video/fbdev/tgafb.c
> > +++ b/drivers/video/fbdev/tgafb.c
> > @@ -173,6 +173,9 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
> >   {
> >       struct tga_par *par = (struct tga_par *)info->par;
> >
> > +     if (!var->pixclock)
> > +             return -EINVAL;
> > +
> >       if (par->tga_type == TGA_TYPE_8PLANE) {
> >               if (var->bits_per_pixel != 8)
> >                       return -EINVAL;
>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] fbdev: tgafb: Fix potential divide by zero
  2023-03-08 22:05 ` Helge Deller
  2023-03-09  6:11   ` Wei Chen
@ 2023-03-09  7:53   ` Jani Nikula
  2023-03-09  8:15     ` Helge Deller
  1 sibling, 1 reply; 5+ messages in thread
From: Jani Nikula @ 2023-03-09  7:53 UTC (permalink / raw)
  To: Helge Deller, harperchen
  Cc: linux-fbdev, javierm, dri-devel, linux-kernel, wsa+renesas, tzimmermann

On Wed, 08 Mar 2023, Helge Deller <deller@gmx.de> wrote:
> On 3/7/23 14:08, harperchen wrote:
>> fb_set_var would by called when user invokes ioctl with cmd
>> FBIOPUT_VSCREENINFO. User-provided data would finally reach
>> tgafb_check_var. In case var->pixclock is assigned to zero,
>> divide by zero would occur when checking whether reciprocal
>> of var->pixclock is too high.
>>
>> Similar crashes have happened in other fbdev drivers. There
>> is no check and modification on var->pixclock along the call
>> chain to tgafb_check_var. We believe it could also be triggered
>> in driver tgafb from user site.
>>
>> Signed-off-by: harperchen <harperchen1110@gmail.com>
>
> Could you provide a real name?
> Otherwise applied to fbdev git tree.

See commit d4563201f33a ("Documentation: simplify and clarify DCO
contribution example language").

BR,
Jani.


>
> Thanks!
> Helge
>
>> ---
>>   drivers/video/fbdev/tgafb.c | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/video/fbdev/tgafb.c b/drivers/video/fbdev/tgafb.c
>> index 14d37c49633c..b44004880f0d 100644
>> --- a/drivers/video/fbdev/tgafb.c
>> +++ b/drivers/video/fbdev/tgafb.c
>> @@ -173,6 +173,9 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
>>   {
>>   	struct tga_par *par = (struct tga_par *)info->par;
>>
>> +	if (!var->pixclock)
>> +		return -EINVAL;
>> +
>>   	if (par->tga_type == TGA_TYPE_8PLANE) {
>>   		if (var->bits_per_pixel != 8)
>>   			return -EINVAL;
>

-- 
Jani Nikula, Intel Open Source Graphics Center

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] fbdev: tgafb: Fix potential divide by zero
  2023-03-09  7:53   ` Jani Nikula
@ 2023-03-09  8:15     ` Helge Deller
  0 siblings, 0 replies; 5+ messages in thread
From: Helge Deller @ 2023-03-09  8:15 UTC (permalink / raw)
  To: Jani Nikula, harperchen
  Cc: linux-fbdev, javierm, dri-devel, linux-kernel, wsa+renesas, tzimmermann

On 3/9/23 08:53, Jani Nikula wrote:
> On Wed, 08 Mar 2023, Helge Deller <deller@gmx.de> wrote:
>> On 3/7/23 14:08, harperchen wrote:
>>> fb_set_var would by called when user invokes ioctl with cmd
>>> FBIOPUT_VSCREENINFO. User-provided data would finally reach
>>> tgafb_check_var. In case var->pixclock is assigned to zero,
>>> divide by zero would occur when checking whether reciprocal
>>> of var->pixclock is too high.
>>>
>>> Similar crashes have happened in other fbdev drivers. There
>>> is no check and modification on var->pixclock along the call
>>> chain to tgafb_check_var. We believe it could also be triggered
>>> in driver tgafb from user site.
>>>
>>> Signed-off-by: harperchen <harperchen1110@gmail.com>
>>
>> Could you provide a real name?
>> Otherwise applied to fbdev git tree.
>
> See commit d4563201f33a ("Documentation: simplify and clarify DCO
> contribution example language").

Nice. Thanks for that link!
Btw, I did applied that patch yesterday to my tree with just the nickname,
but of course I do prefer real names which is why I asked.

Helge

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-03-09  8:20 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-07 13:08 [PATCH] fbdev: tgafb: Fix potential divide by zero harperchen
2023-03-08 22:05 ` Helge Deller
2023-03-09  6:11   ` Wei Chen
2023-03-09  7:53   ` Jani Nikula
2023-03-09  8:15     ` Helge Deller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).