Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp351641imn; Wed, 3 Aug 2022 06:40:07 -0700 (PDT) X-Google-Smtp-Source: AA6agR55t+vvzzVfv6Y0MKMyD0byH+at0SDhquJkKXUjOFnNYe569/Q1P9J8oNrnsld/VAB0pD1g X-Received: by 2002:a17:903:11d1:b0:16c:defc:a098 with SMTP id q17-20020a17090311d100b0016cdefca098mr25822569plh.50.1659534007179; Wed, 03 Aug 2022 06:40:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659534007; cv=none; d=google.com; s=arc-20160816; b=QgMmVs8A4+XewXiYft9dMKe+aypHQSJZz4RnbDiOMQhhzLi2fwuWsCmnsfkLYd4oCW 6vzLXm5FhOYSZNPWf+29KHvHj6YgGk51qn5QFucp6+Z3ENNBAqOUSaoQdOEvGFavH3bd RVADDpZMOsA6fY/4kqP1cjw5j/ELytAH+UthKPwNXUh2WvA6nQH7LanV2Se7dXfQYc1H +Bg4qqMmFJn7ceeZFeRzcS968LeUR5G+1RzFa/da2O7vMj8ZaxQ0pMAavZB5jmvJuRR7 eTrK19Qx4DL2rafUIBL1BsnRT9LKWVH4bU+B1ijDwDoyOojocpxaSQnuorqjAuYNyNN4 wMzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=+H14tqK0qunqhNxwmK9LTkJocFLlRIlwvVbdsJi+cqk=; b=HuiF3MHd39Z1Ql5NlZs2p/P2AR1zMc5uJ4VEKmj4B6ntE55Lzg+1aW72AYQncZxs9s QtzgTdzGTKMpRmoxINwe4cXVVWYi92xG/Gyo+ulNsZj1gevCEdconcdpzUjqBNCd3f5I guO9VIEqxsCThKGKyBrN+/fYajGML2Ez6juTIrEraBEVq6922gK7xcUp1A/D2K4C5Tr3 00kzn66ZZn5FmfBXQd1sepKAxMVvoHyS06WGlGpjpeBpDouuaEor4SZxs9G2keUp5cTc ZUZsGKxvTacVqdpmKsfKo4l25A0xl5r29S7HpDjfigRbDhO5VyLh8lnGruWcZ1sHhahZ XaPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=KLVfhmUj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a10-20020a655c8a000000b0041a4118f5f5si19208888pgt.109.2022.08.03.06.39.50; Wed, 03 Aug 2022 06:40:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=KLVfhmUj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236783AbiHCNRS (ORCPT + 99 others); Wed, 3 Aug 2022 09:17:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40612 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235851AbiHCNRP (ORCPT ); Wed, 3 Aug 2022 09:17:15 -0400 Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F37DF2620; Wed, 3 Aug 2022 06:17:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1659532626; bh=ijNK7+C9GwS9hFV217KdcR0mCCJXat/+dfi5+nWW7vo=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From:In-Reply-To; b=KLVfhmUjZcW3w4VVKGLmouP9njA7VWHE6LDLlretIi4CWpeqvljsQs4OIYhSui5y7 co7ZGz0fmvsmOc2va97EEApaFTc7hgUeLgpg1NqE9WUMj2iF18u0XQr7wAn7Vr4Sbu T0kYE8NLmLHg5KUC+F1pJqwnhtM0IRmJZc1oRFZw= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.20.60] ([92.116.136.66]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1N5VHG-1nLJKy2l1G-016xYA; Wed, 03 Aug 2022 15:17:06 +0200 Message-ID: Date: Wed, 3 Aug 2022 15:16:18 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [PATCH] video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock() Content-Language: en-US To: Zheyu Ma , Ondrej Zajicek , Andrew Morton , Antonino Daplas Cc: linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org References: <20220803092313.2492371-1-zheyuma97@gmail.com> From: Helge Deller In-Reply-To: <20220803092313.2492371-1-zheyuma97@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:lQljVW+9U2quFOlICL5iuL0qQsxBfhrJ/SOcJDuXBcLxgtkcRMq N1VzQHqvyDjpI6ZUU9HAzKo0RYEGAybibieBpH9UP/PHT/WmA65wdyZPcC209YI0xARz1P9 8BC3NMOMCSRe5ZJKsl6BltUUK3igg4tp3m6nn6MtiSYM106YPdcnxqsMRv51MPKVQ8L5fmn dA0M5ojv7+gYY3RYcWUJg== X-UI-Out-Filterresults: notjunk:1;V03:K0:h4IFC4aVW08=:HnCeX4OCRi/TeYynLI1xBD zZKE9O64nRYUapljhlHNsnE428kIdlgmS5NUXtlqstdQ3i6oLaDzRL37vQBkWyMsGgjIG7B3r AEHXoy9i5/08pmUOKJc6i6EtNz5775Fyq93zNu1BFKNOZ9vSV0gJuqGn16ZcaybNUR1yQuIvL eJ3RIhqxunXfkLNyApuzq6XgcEP3QD/Ez+xLIJQ7sjLSgGpBjsHdfBS7jssqs7Op2LnWNFFdD TBLVB1WBKvkJukLv3z/hyQifCRCTKcCc7znZxF3DUSFUjnqIM2WxhzqAEzWgADwT48eCIGGLI zh23v7XvmTHtSBoYLk0sImX1V673Zzpc+ZqkRyDJbVhvEp/gEeQcYL80L0zkPNQP1iGjXyy2j YIOQFdBJLdVcSJLO/xnJ3RYiDCLgZ8BOgR5R05A9Slvqcqxj5LjFfvDPMv5ATnGntEIrnnEgj i3lBt92pV1hHqsxv+OH4J1yGhPC0gFlJaMicyDZOLFS5I/tCiYM10JLYJUa8c2/Y3kMuR11yL 0rl08NyM/g2OYXneYh5HJiN0oUF0gB9yQ8v6McItgQcTYj8A2yK9DCx5Bh1b/HwAHZsAmJO3b MKf8zxQZ+8psG641SzPenI4g10fwqYv5w5ctR0lmrpNW6e8Xwf7w6BlOAaddoRt+4pu0vwpnl ehwv5kDgoRKJbfeAPLsziUC6wW1gBBSN3Psj4d4qDqqGLp2RsJx6OIP22Cm5bnZgaWv84LHxC 9TIujyV9WwCy1AcKD7kbF3ZungYAxpv3QaftNTguBsr2Crp8NJJCrF/pSvN5Ph3zEuILscDIb one6vqUdIQrjC1wpWRNS1YShHnlHtokbNlZdOJjmoZQHcHjCLZF3QBgPmhJh92VcVxe0uK6g4 1tWwV7y+1JyT6mdHw5A6k50sim/AinXXXujzqusU/ak+wpvZ8B38BJrUIlQSaTfPoDDYFV45/ rYNt6dIWIDSdXh30U1dP6gg+jS/LRAdqX5kByxSfEP2Ntrbe4StmT84eOBoljJEfecBZB6EqW EEFjsm1ak+T7JqzbluMEYohOeTxFplQa3xrK3g7wH1oE1X+Xdo+TFejfeaJgvJ1Dz35pO2TGA nU0OXeBV3AtABBKgLTLYOppGaoDv05E91gpo/TVIV52bFe0ToBStaHFQg== X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,NICE_REPLY_A,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/3/22 11:23, Zheyu Ma wrote: > Since the user can control the arguments of the ioctl() from the user > space, under special arguments that may result in a divide-by-zero bug > in: > drivers/video/fbdev/arkfb.c:784: ark_set_pixclock(info, (hdiv * info->= var.pixclock) / hmul); > with hdiv=3D1, pixclock=3D1 and hmul=3D2 you end up with (1*1)/2 =3D (in= t) 0. > and then in: > drivers/video/fbdev/arkfb.c:504: rv =3D dac_set_freq(par->dac, 0, 1000= 000000 / pixclock); > we'll get a division-by-zero. > > The following log can reveal it: > > divide error: 0000 [#1] PREEMPT SMP KASAN PTI > RIP: 0010:ark_set_pixclock drivers/video/fbdev/arkfb.c:504 [inline] > RIP: 0010:arkfb_set_par+0x10fc/0x24c0 drivers/video/fbdev/arkfb.c:784 > Call Trace: > fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 > do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 > fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189 > > Fix this by checking the argument of ark_set_pixclock() first. > > Fixes: 681e14730c73 ("arkfb: new framebuffer driver for ARK Logic cards"= ) > Signed-off-by: Zheyu Ma applied to fbdev git tree. Thanks! Helge > --- > drivers/video/fbdev/arkfb.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/drivers/video/fbdev/arkfb.c b/drivers/video/fbdev/arkfb.c > index eb3e47c58c5f..ed76ddc7df3d 100644 > --- a/drivers/video/fbdev/arkfb.c > +++ b/drivers/video/fbdev/arkfb.c > @@ -781,7 +781,12 @@ static int arkfb_set_par(struct fb_info *info) > return -EINVAL; > } > > - ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul); > + value =3D (hdiv * info->var.pixclock) / hmul; > + if (!value) { > + fb_dbg(info, "invalid pixclock\n"); > + value =3D 1; > + } > + ark_set_pixclock(info, value); > svga_set_timings(par->state.vgabase, &ark_timing_regs, &(info->var), h= mul, hdiv, > (info->var.vmode & FB_VMODE_DOUBLE) ? 2 : 1, > (info->var.vmode & FB_VMODE_INTERLACED) ? 2 : 1,