From patchwork Wed Oct  4 16:42:37 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Geert Uytterhoeven <geert@linux-m68k.org>
X-Patchwork-Id: 9985201
Return-Path: <linux-fbdev-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	9F22A60586 for <patchwork-linux-fbdev@patchwork.kernel.org>;
	Wed,  4 Oct 2017 16:42:40 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 90C5228B86
	for <patchwork-linux-fbdev@patchwork.kernel.org>;
	Wed,  4 Oct 2017 16:42:40 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 853CD28B89; Wed,  4 Oct 2017 16:42:40 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E547928B86
	for <patchwork-linux-fbdev@patchwork.kernel.org>;
	Wed,  4 Oct 2017 16:42:39 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751268AbdJDQmj (ORCPT
	<rfc822;patchwork-linux-fbdev@patchwork.kernel.org>);
	Wed, 4 Oct 2017 12:42:39 -0400
Received: from mail-wm0-f67.google.com ([74.125.82.67]:54537 "EHLO
	mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750966AbdJDQmi (ORCPT
	<rfc822; linux-fbdev@vger.kernel.org>); Wed, 4 Oct 2017 12:42:38 -0400
Received: by mail-wm0-f67.google.com with SMTP id i124so24345605wmf.3
	for <linux-fbdev@vger.kernel.org>;
	Wed, 04 Oct 2017 09:42:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=mime-version:sender:in-reply-to:references:from:date:message-id
	:subject:to:cc;
	bh=ulcrKleR6ZZUqNKRXqnFWxd/8PjZgh/een7KLykGnM0=;
	b=bvGSaxuqyDFSSWdzaBytPTNEunKdRkTOrSZLuKqhxEEGxH2Tvhu3He63ROWp2okiDR
	3T8OuAIgOsMKlblzZ+VjMf2EmOE7rtWIJSFOUT+Lfcm1HnnKWDNAgTiq06eDnEyrVkNj
	OML0f5tH27ScaYOPmApEhJI7Q0OSBXH+B2Y/rBNEQDmlhaJh/DG8ZCpAVkQX/8zn919Z
	kgkESy6lQPgp+N2hOZ0aUYN8IL2ZdjakfeoXArQWo6xVVu80XeTi6JtBpJMMVrSGU8sc
	/YLPJTWPsS/N3lmr2T0RrU053AwQlF4bgmn0OG4Z7/urGeqo3BDlQyCCh8NrjGYmiv7Z
	rnSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
	:date:message-id:subject:to:cc;
	bh=ulcrKleR6ZZUqNKRXqnFWxd/8PjZgh/een7KLykGnM0=;
	b=WdB8SjlFnQHd05BSjFFWsNEKDYP+5Ijs4YiYJJPcw0GyVrMxx4IApbQpNgCAP25Z1f
	pnVS+qHAd5ilKh5jDPEe0JSdvNxpCRgk8PSrPSjC8AycUg9acp4XdrCHp46xgoRxyJ7M
	w/eH7CMWfuSl6VeT+fYCXtwjNKIapbqpOQdHk16F3pSL3EvB22hvPfvv4io5nYL6bFym
	s/gDwaGs6KQJZjp32dPiRn7TDLLL4cMjzgYUN0xfCx57NFNCt1feV89x/Nvz/2axcOft
	jIivwbdZvyEs19xOqrPRXlszl5lfGnHbw8Kx0tCX+siu/YFKZitVtghBq+SPk6WExZk0
	Wcog==
X-Gm-Message-State: AMCzsaX/4p/eiFaKQFbNj75Jis826HoGFOOJwPSaVb3qrr0LEqWxRrDw
	BLh02FoLlsrapJehjduIuVXHldjFXJtsbHxvyk4fhwcO
X-Google-Smtp-Source: 
 AOwi7QBACi77849wUMjsCTSkwZeG5YbBZWmmriL9Fpt+oYE0NXuniJjIFU8S3t8UHI5KxSAg7IX2xDAMmJNVi9ucFAI=
X-Received: by 10.28.7.79 with SMTP id 76mr14495819wmh.45.1507135357645; Wed,
	04 Oct 2017 09:42:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.147.231 with HTTP; Wed, 4 Oct 2017 09:42:37 -0700 (PDT)
In-Reply-To: <20171004125038.gkzaemlefrpfa2m2@mwanda>
References: <20171004125038.gkzaemlefrpfa2m2@mwanda>
From: Geert Uytterhoeven <geert@linux-m68k.org>
Date: Wed, 4 Oct 2017 18:42:37 +0200
X-Google-Sender-Auth: qlbO58oOBpedIp9CntxPpLdYY30
Message-ID: 
 <CAMuHMdUNvtDunWK-4oRFMqTVz_QKzXW_Fosg883jd7Wu7mp3_A@mail.gmail.com>
Subject: Re: [bug report] out of bounds read parsing vmode commandline option
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Linux Fbdev development list <linux-fbdev@vger.kernel.org>,
	"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>,
	Benjamin Herrenschmidt <benh@kernel.crashing.org>
Sender: linux-fbdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fbdev.vger.kernel.org>
X-Mailing-List: linux-fbdev@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Hi Dan,

On Wed, Oct 4, 2017 at 2:50 PM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> This bug predates git but it looks like it might be simple to fix if the
> right person looked at the code.
>
>         drivers/video/fbdev/controlfb.c:560 control_setup()
>         error: buffer overflow 'control_mac_modes' 20 <= 21
>
> drivers/video/fbdev/controlfb.c
>    549  static void __init control_setup(char *options)
>    550  {
>    551          char *this_opt;
>    552
>    553          if (!options || !*options)
>    554                  return;
>    555
>    556          while ((this_opt = strsep(&options, ",")) != NULL) {
>    557                  if (!strncmp(this_opt, "vmode:", 6)) {
>    558                          int vmode = simple_strtoul(this_opt+6, NULL, 0);
>                                     ^^^^^
> We get vmode from the command line.
>
>    559                          if (vmode > 0 && vmode <= VMODE_MAX &&
>                                                           ^^^^^^^^^
> We check that it's <= 22.
>
>    560                              control_mac_modes[vmode - 1].m[1] >= 0)
>                                     ^^^^^^^^^^^^^^^^^
> But the problem is that control_mac_modes[] only has 20 elements so the
> highest valid index is 19.  vmode - 1 can be up to 21.

Nice catch!

The bug was introduced in v2.4.5.6, when 2 new modes were added to
macmodes.h, but control_mac_modes[] wasn't updated:

https://kernel.opensuse.org/cgit/kernel/diff/include/video/macmodes.h?h=v2.5.2&id=29f279c764808560eaceb88fef36cbc35c529aad

A simple fix is to check against ARRAY_SIZE(control_mac_modes) instead.

A better fix is to add the missing entries to control_mac_modes[], cfr. the
(gmail-whitespace-damaged) patch below:

(this array lists the maximum color mode (8, 16, or 32 bpp) for each
 video mode given RAM restrictions (2 or 4 MiB)).

The 1152x768 mode is probably OK. Given the 1600x1024 mode has a lower
dotclock (112 MHz) than the supported 1280x960 mode, it's probably OK, too.

platinum_reg_init[] and valkyrie_reg_init[] seem to be handled fine.

Gr{oetje,eeting}s,

                        Geert
---
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds
--
To unsubscribe from this list: send the line "unsubscribe linux-fbdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

--- a/drivers/video/fbdev/controlfb.h
+++ b/drivers/video/fbdev/controlfb.h
@@ -141,5 +141,7 @@ static struct max_cmodes control_mac_modes[] = {
        {{ 1, 2}},      /* 1152x870, 75Hz */
        {{ 0, 1}},      /* 1280x960, 75Hz */
        {{ 0, 1}},      /* 1280x1024, 75Hz */
+       {{ 1, 2}},      /* 1152x768, 60Hz */
+       {{ 0, 1}},      /* 1600x1024, 60Hz */
 };