From: Dan Carpenter <error27@gmail.com>
To: linux-fbdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [RFC] [patch] fbcmap: integer overflow bug
Date: Wed, 27 Oct 2010 11:37:16 +0200 [thread overview]
Message-ID: <20101027093716.GD6062@bicker> (raw)
There is an integer overflow bug in the FBIOPUTCMAP ioctl if
cmap->len * 2 overflows.
It's harmless, except that it messes up the cmap until someone types
`reset`. It could have been caught by checking the return from
fb_copy_cmap().
Or it could have been caught by limiting the size of the cmaps to one
page. The cmaps are allocated with GFP_ATOMIC and it makes sense to
limit them.
Different drivers use different sizes of cmaps. There are about 150
drivers. I've checked a bunch (50) of them and the larges cmap.len I've
found is gxt4500 which maxes out at 1024 so PAGE_SIZE is about twice that
length. For some of the 50 I wasn't sure on the limit.
Is PAGE_SIZE a reasonable limit? Does anyone know or do I have to audit
all 150 drivers?
diff --git a/drivers/video/fbcmap.c b/drivers/video/fbcmap.c
index f53b9f1..6dc5817 100644
--- a/drivers/video/fbcmap.c
+++ b/drivers/video/fbcmap.c
@@ -110,7 +110,9 @@ int fb_alloc_cmap(struct fb_cmap *cmap, int len, int transp)
}
cmap->start = 0;
cmap->len = len;
- fb_copy_cmap(fb_default_cmap(len), cmap);
+ if (fb_copy_cmap(fb_default_cmap(len), cmap))
+ goto fail;
+
return 0;
fail:
@@ -250,6 +252,9 @@ int fb_set_user_cmap(struct fb_cmap_user *cmap, struct fb_info *info)
int rc, size = cmap->len * sizeof(u16);
struct fb_cmap umap;
+ if (cmap->len > PAGE_SIZE || cmap->len * sizeof(u16) > PAGE_SIZE)
+ return -EINVAL;
+
memset(&umap, 0, sizeof(struct fb_cmap));
rc = fb_alloc_cmap(&umap, cmap->len, cmap->transp != NULL);
if (rc)
next reply other threads:[~2010-10-27 9:37 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-27 9:37 Dan Carpenter [this message]
2010-11-05 20:40 ` [RFC] [patch] fbcmap: integer overflow bug Andrew Morton
2010-11-13 10:06 ` [patch 1/2] fbcmap: cleanup white space in fb_alloc_cmap() Dan Carpenter
2010-11-18 6:00 ` Paul Mundt
2010-11-13 10:07 ` [patch 2/2] fbcmap: integer overflow bug Dan Carpenter
2010-11-15 4:48 ` Paul Mundt
2010-11-15 6:56 ` Geert Uytterhoeven
2010-11-15 7:20 ` Dan Carpenter
2010-11-15 8:01 ` walter harms
2010-11-15 8:14 ` Dan Carpenter
2010-11-16 9:11 ` [patch 2/2 v2] " Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101027093716.GD6062@bicker \
--to=error27@gmail.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).