| Message ID | PH7PR20MB5925C492B7F8CDACB2386DB4BF712@PH7PR20MB5925.namprd20.prod.outlook.com (mailing list archive) |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | video: fbdev: sis: Error out if pixclock equals zero | expand |
On 1/18/24 07:24, Fullway Wang wrote: > The userspace program could pass any values to the driver through > ioctl() interface. If the driver doesn't check the value of pixclock, > it may cause divide-by-zero error. > > In sisfb_check_var(), var->pixclock is used as a divisor to caculate > drate before it is checked against zero. Fix this by checking it > at the beginning. > > This is similar to CVE-2022-3061 in i740fb which was fixed by > commit 15cf0b8. > > Signed-off-by: Fullway Wang <fullwaywang@outlook.com> > --- > drivers/video/fbdev/sis/sis_main.c | 2 ++ > 1 file changed, 2 insertions(+) I've applied this patch and your savage patch to fbdev git tree. Thanks! Helge
diff --git a/drivers/video/fbdev/sis/sis_main.c b/drivers/video/fbdev/sis/sis_main.c index 803ccb6aa479..009bf1d92644 100644 --- a/drivers/video/fbdev/sis/sis_main.c +++ b/drivers/video/fbdev/sis/sis_main.c @@ -1444,6 +1444,8 @@ sisfb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) vtotal = var->upper_margin + var->lower_margin + var->vsync_len; + if (!var->pixclock) + return -EINVAL; pixclock = var->pixclock; if((var->vmode & FB_VMODE_MASK) == FB_VMODE_NONINTERLACED) {
The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of pixclock, it may cause divide-by-zero error. In sisfb_check_var(), var->pixclock is used as a divisor to caculate drate before it is checked against zero. Fix this by checking it at the beginning. This is similar to CVE-2022-3061 in i740fb which was fixed by commit 15cf0b8. Signed-off-by: Fullway Wang <fullwaywang@outlook.com> --- drivers/video/fbdev/sis/sis_main.c | 2 ++ 1 file changed, 2 insertions(+)