* [PATCH v2 0/3] Error out if 'pixclock' equals zero @ 2021-07-26 10:03 Zheyu Ma 2021-07-26 10:03 ` [PATCH v2 1/3] video: fbdev: asiliantfb: " Zheyu Ma ` (2 more replies) 0 siblings, 3 replies; 5+ messages in thread From: Zheyu Ma @ 2021-07-26 10:03 UTC (permalink / raw) To: adaplas; +Cc: dri-devel, linux-fbdev, linux-kernel, Zheyu Ma Zheyu Ma (3): video: fbdev: asiliantfb: Error out if 'pixclock' equals zero video: fbdev: kyro: Error out if 'pixclock' equals zero video: fbdev: riva: Error out if 'pixclock' equals zero drivers/video/fbdev/asiliantfb.c | 3 +++ drivers/video/fbdev/kyro/fbdev.c | 3 +++ drivers/video/fbdev/riva/fbdev.c | 3 +++ 3 files changed, 9 insertions(+) -- 2.17.6 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2 1/3] video: fbdev: asiliantfb: Error out if 'pixclock' equals zero 2021-07-26 10:03 [PATCH v2 0/3] Error out if 'pixclock' equals zero Zheyu Ma @ 2021-07-26 10:03 ` Zheyu Ma 2021-09-10 15:16 ` Geert Uytterhoeven 2021-07-26 10:03 ` [PATCH v2 2/3] video: fbdev: kyro: " Zheyu Ma 2021-07-26 10:03 ` [PATCH v2 3/3] video: fbdev: riva: " Zheyu Ma 2 siblings, 1 reply; 5+ messages in thread From: Zheyu Ma @ 2021-07-26 10:03 UTC (permalink / raw) To: adaplas; +Cc: dri-devel, linux-fbdev, linux-kernel, Zheyu Ma The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero first. The following log reveals it: [ 43.861711] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 43.861737] CPU: 2 PID: 11764 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty #224 [ 43.861756] RIP: 0010:asiliantfb_check_var+0x4e/0x730 [ 43.861843] Call Trace: [ 43.861848] ? asiliantfb_remove+0x190/0x190 [ 43.861858] fb_set_var+0x2e4/0xeb0 [ 43.861866] ? fb_blank+0x1a0/0x1a0 [ 43.861873] ? lock_acquire+0x1ef/0x530 [ 43.861884] ? lock_release+0x810/0x810 [ 43.861892] ? lock_is_held_type+0x100/0x140 [ 43.861903] ? ___might_sleep+0x1ee/0x2d0 [ 43.861914] ? __mutex_lock+0x620/0x1190 [ 43.861921] ? do_fb_ioctl+0x313/0x700 [ 43.861929] ? mutex_lock_io_nested+0xfa0/0xfa0 [ 43.861936] ? __this_cpu_preempt_check+0x1d/0x30 [ 43.861944] ? _raw_spin_unlock_irqrestore+0x46/0x60 [ 43.861952] ? lockdep_hardirqs_on+0x59/0x100 [ 43.861959] ? _raw_spin_unlock_irqrestore+0x46/0x60 [ 43.861967] ? trace_hardirqs_on+0x6a/0x1c0 [ 43.861978] do_fb_ioctl+0x31e/0x700 Signed-off-by: Zheyu Ma <zheyuma97@gmail.com> --- Changes in v2: - Make commit log more descriptive --- drivers/video/fbdev/asiliantfb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/asiliantfb.c b/drivers/video/fbdev/asiliantfb.c index 3e006da47752..84c56f525889 100644 --- a/drivers/video/fbdev/asiliantfb.c +++ b/drivers/video/fbdev/asiliantfb.c @@ -227,6 +227,9 @@ static int asiliantfb_check_var(struct fb_var_screeninfo *var, { unsigned long Ftarget, ratio, remainder; + if (!var->pixclock) + return -EINVAL; + ratio = 1000000 / var->pixclock; remainder = 1000000 % var->pixclock; Ftarget = 1000000 * ratio + (1000000 * remainder) / var->pixclock; -- 2.17.6 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2 1/3] video: fbdev: asiliantfb: Error out if 'pixclock' equals zero 2021-07-26 10:03 ` [PATCH v2 1/3] video: fbdev: asiliantfb: " Zheyu Ma @ 2021-09-10 15:16 ` Geert Uytterhoeven 0 siblings, 0 replies; 5+ messages in thread From: Geert Uytterhoeven @ 2021-09-10 15:16 UTC (permalink / raw) To: Zheyu Ma Cc: Antonino A. Daplas, DRI Development, Linux Fbdev development list, Linux Kernel Mailing List, stable Hi Zheyu, On Mon, Jul 26, 2021 at 12:04 PM Zheyu Ma <zheyuma97@gmail.com> wrote: > The userspace program could pass any values to the driver through > ioctl() interface. If the driver doesn't check the value of 'pixclock', > it may cause divide error. > > Fix this by checking whether 'pixclock' is zero first. > > The following log reveals it: > > [ 43.861711] divide error: 0000 [#1] PREEMPT SMP KASAN PTI > [ 43.861737] CPU: 2 PID: 11764 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty #224 > [ 43.861756] RIP: 0010:asiliantfb_check_var+0x4e/0x730 > [ 43.861843] Call Trace: > [ 43.861848] ? asiliantfb_remove+0x190/0x190 > [ 43.861858] fb_set_var+0x2e4/0xeb0 > [ 43.861866] ? fb_blank+0x1a0/0x1a0 > [ 43.861873] ? lock_acquire+0x1ef/0x530 > [ 43.861884] ? lock_release+0x810/0x810 > [ 43.861892] ? lock_is_held_type+0x100/0x140 > [ 43.861903] ? ___might_sleep+0x1ee/0x2d0 > [ 43.861914] ? __mutex_lock+0x620/0x1190 > [ 43.861921] ? do_fb_ioctl+0x313/0x700 > [ 43.861929] ? mutex_lock_io_nested+0xfa0/0xfa0 > [ 43.861936] ? __this_cpu_preempt_check+0x1d/0x30 > [ 43.861944] ? _raw_spin_unlock_irqrestore+0x46/0x60 > [ 43.861952] ? lockdep_hardirqs_on+0x59/0x100 > [ 43.861959] ? _raw_spin_unlock_irqrestore+0x46/0x60 > [ 43.861967] ? trace_hardirqs_on+0x6a/0x1c0 > [ 43.861978] do_fb_ioctl+0x31e/0x700 > > Signed-off-by: Zheyu Ma <zheyuma97@gmail.com> Thanks for your patch! > --- > Changes in v2: > - Make commit log more descriptive > --- > drivers/video/fbdev/asiliantfb.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/video/fbdev/asiliantfb.c b/drivers/video/fbdev/asiliantfb.c > index 3e006da47752..84c56f525889 100644 > --- a/drivers/video/fbdev/asiliantfb.c > +++ b/drivers/video/fbdev/asiliantfb.c > @@ -227,6 +227,9 @@ static int asiliantfb_check_var(struct fb_var_screeninfo *var, > { > unsigned long Ftarget, ratio, remainder; > > + if (!var->pixclock) > + return -EINVAL; While this fixes the crash, it is not correct: according to the fbdev API, invalid values must be rounded up to a supported value, if possible. -EINVAL should only be returned if rounding up values in fb_var_screeninfo cannot give a valid mode. The same comment applies to the other patches in this series: [PATCH v2 2/3] video: fbdev: kyro: Error out if 'pixclock' equals zero [PATCH v2 3/3] video: fbdev: riva: Error out if 'pixclock' equals zero > + > ratio = 1000000 / var->pixclock; > remainder = 1000000 % var->pixclock; > Ftarget = 1000000 * ratio + (1000000 * remainder) / var->pixclock; Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2 2/3] video: fbdev: kyro: Error out if 'pixclock' equals zero 2021-07-26 10:03 [PATCH v2 0/3] Error out if 'pixclock' equals zero Zheyu Ma 2021-07-26 10:03 ` [PATCH v2 1/3] video: fbdev: asiliantfb: " Zheyu Ma @ 2021-07-26 10:03 ` Zheyu Ma 2021-07-26 10:03 ` [PATCH v2 3/3] video: fbdev: riva: " Zheyu Ma 2 siblings, 0 replies; 5+ messages in thread From: Zheyu Ma @ 2021-07-26 10:03 UTC (permalink / raw) To: adaplas; +Cc: dri-devel, linux-fbdev, linux-kernel, Zheyu Ma The userspace program could pass any values to the driver through ioctl() interface. if the driver doesn't check the value of 'pixclock', it may cause divide error because the value of 'lineclock' and 'frameclock' will be zero. Fix this by checking whether 'pixclock' is zero in kyrofb_check_var(). The following log reveals it: [ 103.073930] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 103.073942] CPU: 4 PID: 12483 Comm: syz-executor Not tainted 5.14.0-rc2-00478-g2734d6c1b1a0-dirty #118 [ 103.073959] RIP: 0010:kyrofb_set_par+0x316/0xc80 [ 103.074045] Call Trace: [ 103.074048] ? ___might_sleep+0x1ee/0x2d0 [ 103.074060] ? kyrofb_ioctl+0x330/0x330 [ 103.074069] fb_set_var+0x5bf/0xeb0 [ 103.074078] ? fb_blank+0x1a0/0x1a0 [ 103.074085] ? lock_acquire+0x3bd/0x530 [ 103.074094] ? lock_release+0x810/0x810 [ 103.074103] ? ___might_sleep+0x1ee/0x2d0 [ 103.074114] ? __mutex_lock+0x620/0x1190 [ 103.074126] ? trace_hardirqs_on+0x6a/0x1c0 [ 103.074137] do_fb_ioctl+0x31e/0x700 [ 103.074144] ? fb_getput_cmap+0x280/0x280 [ 103.074152] ? rcu_read_lock_sched_held+0x11/0x80 [ 103.074162] ? rcu_read_lock_sched_held+0x11/0x80 [ 103.074171] ? __sanitizer_cov_trace_switch+0x67/0xf0 [ 103.074181] ? __sanitizer_cov_trace_const_cmp2+0x20/0x80 [ 103.074191] ? do_vfs_ioctl+0x14b/0x16c0 [ 103.074199] ? vfs_fileattr_set+0xb60/0xb60 [ 103.074207] ? rcu_read_lock_sched_held+0x11/0x80 [ 103.074216] ? lock_release+0x483/0x810 [ 103.074224] ? __fget_files+0x217/0x3d0 [ 103.074234] ? __fget_files+0x239/0x3d0 [ 103.074243] ? do_fb_ioctl+0x700/0x700 [ 103.074250] fb_ioctl+0xe6/0x130 Signed-off-by: Zheyu Ma <zheyuma97@gmail.com> --- Changes in v2: - Make commmit log more descriptive --- drivers/video/fbdev/kyro/fbdev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/kyro/fbdev.c b/drivers/video/fbdev/kyro/fbdev.c index 8fbde92ae8b9..6db7e5e83f11 100644 --- a/drivers/video/fbdev/kyro/fbdev.c +++ b/drivers/video/fbdev/kyro/fbdev.c @@ -394,6 +394,9 @@ static int kyrofb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) { struct kyrofb_info *par = info->par; + if (!var->pixclock) + return -EINVAL; + if (var->bits_per_pixel != 16 && var->bits_per_pixel != 32) { printk(KERN_WARNING "kyrofb: depth not supported: %u\n", var->bits_per_pixel); return -EINVAL; -- 2.17.6 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v2 3/3] video: fbdev: riva: Error out if 'pixclock' equals zero 2021-07-26 10:03 [PATCH v2 0/3] Error out if 'pixclock' equals zero Zheyu Ma 2021-07-26 10:03 ` [PATCH v2 1/3] video: fbdev: asiliantfb: " Zheyu Ma 2021-07-26 10:03 ` [PATCH v2 2/3] video: fbdev: kyro: " Zheyu Ma @ 2021-07-26 10:03 ` Zheyu Ma 2 siblings, 0 replies; 5+ messages in thread From: Zheyu Ma @ 2021-07-26 10:03 UTC (permalink / raw) To: adaplas; +Cc: dri-devel, linux-fbdev, linux-kernel, Zheyu Ma The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero first. The following log reveals it: [ 33.396850] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 33.396864] CPU: 5 PID: 11754 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty #222 [ 33.396883] RIP: 0010:riva_load_video_mode+0x417/0xf70 [ 33.396969] Call Trace: [ 33.396973] ? debug_smp_processor_id+0x1c/0x20 [ 33.396984] ? tick_nohz_tick_stopped+0x1a/0x90 [ 33.396996] ? rivafb_copyarea+0x3c0/0x3c0 [ 33.397003] ? wake_up_klogd.part.0+0x99/0xd0 [ 33.397014] ? vprintk_emit+0x110/0x4b0 [ 33.397024] ? vprintk_default+0x26/0x30 [ 33.397033] ? vprintk+0x9c/0x1f0 [ 33.397041] ? printk+0xba/0xed [ 33.397054] ? record_print_text.cold+0x16/0x16 [ 33.397063] ? __kasan_check_read+0x11/0x20 [ 33.397074] ? profile_tick+0xc0/0x100 [ 33.397084] ? __sanitizer_cov_trace_const_cmp4+0x24/0x80 [ 33.397094] ? riva_set_rop_solid+0x2a0/0x2a0 [ 33.397102] rivafb_set_par+0xbe/0x610 [ 33.397111] ? riva_set_rop_solid+0x2a0/0x2a0 [ 33.397119] fb_set_var+0x5bf/0xeb0 [ 33.397127] ? fb_blank+0x1a0/0x1a0 [ 33.397134] ? lock_acquire+0x1ef/0x530 [ 33.397143] ? lock_release+0x810/0x810 [ 33.397151] ? lock_is_held_type+0x100/0x140 [ 33.397159] ? ___might_sleep+0x1ee/0x2d0 [ 33.397170] ? __mutex_lock+0x620/0x1190 [ 33.397180] ? trace_hardirqs_on+0x6a/0x1c0 [ 33.397190] do_fb_ioctl+0x31e/0x700 Signed-off-by: Zheyu Ma <zheyuma97@gmail.com> --- Changes in v2: - Make commit log more descriptive --- drivers/video/fbdev/riva/fbdev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/riva/fbdev.c b/drivers/video/fbdev/riva/fbdev.c index 55554b0433cb..84d5e23ad7d3 100644 --- a/drivers/video/fbdev/riva/fbdev.c +++ b/drivers/video/fbdev/riva/fbdev.c @@ -1084,6 +1084,9 @@ static int rivafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) int mode_valid = 0; NVTRACE_ENTER(); + if (!var->pixclock) + return -EINVAL; + switch (var->bits_per_pixel) { case 1 ... 8: var->red.offset = var->green.offset = var->blue.offset = 0; -- 2.17.6 ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-09-10 15:17 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-07-26 10:03 [PATCH v2 0/3] Error out if 'pixclock' equals zero Zheyu Ma 2021-07-26 10:03 ` [PATCH v2 1/3] video: fbdev: asiliantfb: " Zheyu Ma 2021-09-10 15:16 ` Geert Uytterhoeven 2021-07-26 10:03 ` [PATCH v2 2/3] video: fbdev: kyro: " Zheyu Ma 2021-07-26 10:03 ` [PATCH v2 3/3] video: fbdev: riva: " Zheyu Ma
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).