From patchwork Tue Nov 7 14:05:05 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Geert Uytterhoeven X-Patchwork-Id: 10046711 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E2A0360247 for ; Tue, 7 Nov 2017 14:05:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D6F0C296AC for ; Tue, 7 Nov 2017 14:05:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CA0C729880; Tue, 7 Nov 2017 14:05:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8F0EF296AC for ; Tue, 7 Nov 2017 14:05:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754342AbdKGOFL (ORCPT ); Tue, 7 Nov 2017 09:05:11 -0500 Received: from baptiste.telenet-ops.be ([195.130.132.51]:49426 "EHLO baptiste.telenet-ops.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751620AbdKGOFK (ORCPT ); Tue, 7 Nov 2017 09:05:10 -0500 Received: from ayla.of.borg ([84.195.106.246]) by baptiste.telenet-ops.be with bizsmtp id X2571w0115JzmfG01257XC; Tue, 07 Nov 2017 15:05:08 +0100 Received: from ramsan.of.borg ([192.168.97.29] helo=ramsan) by ayla.of.borg with esmtp (Exim 4.86_2) (envelope-from ) id 1eC4V1-0000Ep-IK; Tue, 07 Nov 2017 15:05:07 +0100 Received: from geert by ramsan with local (Exim 4.86_2) (envelope-from ) id 1eC4V1-0000Xz-Cg; Tue, 07 Nov 2017 15:05:07 +0100 From: Geert Uytterhoeven To: Bartlomiej Zolnierkiewicz Cc: Dan Carpenter , Benjamin Herrenschmidt , linux-fbdev@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, Geert Uytterhoeven Subject: [PATCH] fbdev: controlfb: Add missing modes to fix out of bounds access Date: Tue, 7 Nov 2017 15:05:05 +0100 Message-Id: <1510063505-2063-1-git-send-email-geert@linux-m68k.org> X-Mailer: git-send-email 2.7.4 Sender: linux-fbdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Dan's static analysis says: drivers/video/fbdev/controlfb.c:560 control_setup() error: buffer overflow 'control_mac_modes' 20 <= 21 Indeed, control_mac_modes[] has only 20 elements, while VMODE_MAX is 22, which may lead to an out of bounds read when parsing vmode commandline options. The bug was introduced in v2.4.5.6, when 2 new modes were added to macmodes.h, but control_mac_modes[] wasn't updated: https://kernel.opensuse.org/cgit/kernel/diff/include/video/macmodes.h?h=v2.5.2&id=29f279c764808560eaceb88fef36cbc35c529aad Augment control_mac_modes[] with the two new video modes to fix this. Reported-by: Dan Carpenter Signed-off-by: Geert Uytterhoeven --- Compile-tested only. The 1152x768 mode should be OK. Given the 1600x1024 mode has a lower dotclock (112 MHz) than the supported 1280x960 mode, it's probably OK, too. --- drivers/video/fbdev/controlfb.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/video/fbdev/controlfb.h b/drivers/video/fbdev/controlfb.h index 6026c60fc1007e00..261522fabdac89ae 100644 --- a/drivers/video/fbdev/controlfb.h +++ b/drivers/video/fbdev/controlfb.h @@ -141,5 +141,7 @@ static struct max_cmodes control_mac_modes[] = { {{ 1, 2}}, /* 1152x870, 75Hz */ {{ 0, 1}}, /* 1280x960, 75Hz */ {{ 0, 1}}, /* 1280x1024, 75Hz */ + {{ 1, 2}}, /* 1152x768, 60Hz */ + {{ 0, 1}}, /* 1600x1024, 60Hz */ };