Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp3870776pxv; Tue, 13 Jul 2021 05:52:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxdZ6NWFiqXljDaMwYkODSou+NPpFIkdqg8Gx/8zulbYhaJH8g+wkE1HKZOE0fWQWBtMEcr X-Received: by 2002:a02:3845:: with SMTP id v5mr3893648jae.119.1626180763926; Tue, 13 Jul 2021 05:52:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626180763; cv=none; d=google.com; s=arc-20160816; b=0mmL1OgfH1mBJ/7RFZU4zKlKKkgn0n7j/cxiNqETa50+8SvkrHS3a9138jZ/ttYn6u DuJciZULKgTSevbq2s6FFt1eZYCM6lCZLv8nSJXRpfsLRa92g0Ark7drg5vBsjDHgVUK djSsmLtoivAvo43zujqJIAnYm7vz5MOr8eKxMB8y+00y/FQhDHr0e/OzyNm/Qt3pKUHT PsdHmlJYqjqqWDlgDIgQV6p36Ju2vk/FV9o/bHVIjyY37IF8K2PHo7pIGoLXYGdGaoso ndzbsTGUkMXhK3yXUS+fkVia5aI69j74Ot0iw7eutmW59ZipkkRPQrw/HeThEFmceWUF /E5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from :dkim-signature; bh=L6Z19cM06hJr3254lNoc8rFS2DcnQVnOHZzVU5oJkdY=; b=HzGWOyn9+a4hvK2n8yB70S411mdg8CM/JBln5ozzPpRkWVLYkNzLhthljqPaNpHvmY Cgky7e7vbCcJxt2/pNOyEdtVu78aDGEl1c+totMYhRfWgwngDXdPcmxu4HGYWlt3TY1r 51VE4qCOH3zm96B0lhY7ijRJhy4DyvPVl2cxJJWncfkIYOPRN3t9lIWlVuiddXqQROJK k1ose1u0TdqPVsZFVq0rGtbhZX1P9j/DRGSwgSEsY/LzbMrcOIl/3Z0lVdc8mCDhQeC2 8zVGPTYomyQ+3CS6TSyXA5roWy3kggsOfBtiku2ySn4C5xZqiFqCRYZaCq/vpbzDkxjh tWbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=RycI6eIu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w9si1558167jad.35.2021.07.13.05.52.31; Tue, 13 Jul 2021 05:52:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=RycI6eIu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236369AbhGMMyR (ORCPT + 99 others); Tue, 13 Jul 2021 08:54:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50162 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236283AbhGMMyP (ORCPT ); Tue, 13 Jul 2021 08:54:15 -0400 Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2BC98C0613DD; Tue, 13 Jul 2021 05:51:25 -0700 (PDT) Received: by mail-pg1-x533.google.com with SMTP id k20so14549192pgg.7; Tue, 13 Jul 2021 05:51:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=L6Z19cM06hJr3254lNoc8rFS2DcnQVnOHZzVU5oJkdY=; b=RycI6eIu6txifUyYNMh21Z91nG+cHEG9+nXcu0OFLcnfvuHYaTD4zWzprYyZhxfLIR +pPn37tSl1Wh1qxt0RlAIJW8O3XbkUw6PvWe6s8yaClJ3wj3Ru+5cPiW/pB7oXDLkVe1 JKg+YvTq9xkOjA3p+6zeapn+LsiAvX3AvKrlTNUWE+xlKntq44HkLyoDkj8+o3RtIAzK t0SKHaWLfohe1KlHJYlnVfolun8NDY2Ww5vLZdQHaesIiUUHRm0/6JWeklCnSoqXHyls Y0DO52xuEFBmYZ8y7etd3TPL+yf/IcJN8YG690uzO7hO6clDVcNk1zROkgIuQ3/OR1VH 6lgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=L6Z19cM06hJr3254lNoc8rFS2DcnQVnOHZzVU5oJkdY=; b=bSS4ew5Myx6R2Oh/oNxowMXxbtKclnMb1oIf4rSy8j78RNC9S2BFBKOl9CAEVFr1jK kvD4IgL1pDyOKo7gbTEEoY+K3t0uZ8MZTKQZFIsNf37rLovk+vV9+4/aTuDS3Zamg/0v KNwr5Xuisi1KBsLBQtINY/T3Vm3J+HVuF28FsvQieiLOpkoUJoajRUz90NVru7ztNuE7 OL2wZjciGanJ96rocxp+Whs5OivPlCB5eUnoC4pczZ/rmz//cdBsufWfMAcn4gU6pNMS fiy9aMw0tlB6AYlRkfl60FlffJnQ7cjhAOmO3jdL/Idzkwr6uFbsiRax/azy9QaxtvVA b9Bw== X-Gm-Message-State: AOAM532K8zIZsUpg9XUA+cDzyE2B+DRmTz0EMveoKmxI57sWmkPraMGn lQDYL7+i3zbzRci0VmuVhg== X-Received: by 2002:a05:6a00:2:b029:32e:3ef0:770a with SMTP id h2-20020a056a000002b029032e3ef0770amr1783208pfk.8.1626180684635; Tue, 13 Jul 2021 05:51:24 -0700 (PDT) Received: from vultr.guest ([107.191.53.97]) by smtp.gmail.com with ESMTPSA id q12sm19617515pfj.220.2021.07.13.05.51.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Jul 2021 05:51:24 -0700 (PDT) From: Zheyu Ma To: dri-devel@lists.freedesktop.org Cc: linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, security@kernel.org, Zheyu Ma Subject: [PATCH] video: fbdev: kyrofb: fix a DoS bug by restricting user input Date: Tue, 13 Jul 2021 12:51:14 +0000 Message-Id: <1626180674-25195-1-git-send-email-zheyuma97@gmail.com> X-Mailer: git-send-email 2.7.4 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The user can pass in any value to the driver through the 'ioctl' interface. The driver dost not check, which may cause DoS bugs. Fix this by checking if the divisor is 0 The following log reveals it: divide error: 0000 [#1] PREEMPT SMP KASAN PTI RIP: 0010:SetOverlayViewPort+0x133/0x5f0 drivers/video/fbdev/kyro/STG4000OverlayDevice.c:476 Call Trace: kyro_dev_overlay_viewport_set drivers/video/fbdev/kyro/fbdev.c:378 [inline] kyrofb_ioctl+0x2eb/0x330 drivers/video/fbdev/kyro/fbdev.c:603 do_fb_ioctl+0x1f3/0x700 drivers/video/fbdev/core/fbmem.c:1171 fb_ioctl+0xeb/0x130 drivers/video/fbdev/core/fbmem.c:1185 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x19b/0x220 fs/ioctl.c:739 do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Signed-off-by: Zheyu Ma --- drivers/video/fbdev/kyro/STG4000OverlayDevice.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/video/fbdev/kyro/STG4000OverlayDevice.c b/drivers/video/fbdev/kyro/STG4000OverlayDevice.c index 9fde0e3b69ec..29d692fe5e75 100644 --- a/drivers/video/fbdev/kyro/STG4000OverlayDevice.c +++ b/drivers/video/fbdev/kyro/STG4000OverlayDevice.c @@ -407,6 +407,9 @@ int SetOverlayViewPort(volatile STG4000REG __iomem *pSTGReg, ulVertDecFactor = 1; } + if ((ulDest + 1) == 0) + return -EINVAL; + ulDacYScale = ((ulSrc - 1) * 2048) / (ulDest + 1); tmp = STG_READ_REG(DACOverlayVtDec); /* Decimation */ @@ -471,6 +474,9 @@ int SetOverlayViewPort(volatile STG4000REG __iomem *pSTGReg, */ ulScaleLeft = ulSrcLeft; + if ((ulRight - ulLeft + 2) == 0) + return -EINVAL; + /* shift fxscale until it is in the range of the scaler */ ulhDecim = 0; ulScale = (((ulSrcRight - ulSrcLeft) - 1) << (11 - ulhDecim)) / (ulRight - ulLeft + 2); -- 2.17.6