projects / linux-2.6-microblaze.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fead905)
fbdev: savage: Error out if pixclock equals zero
authorFullway Wang <fullwaywang@outlook.com>
Thu, 18 Jan 2024 03:49:40 +0000 (11:49 +0800)
committerHelge Deller <deller@gmx.de>
Sun, 21 Jan 2024 08:00:14 +0000 (09:00 +0100)
The userspace program could pass any values to the driver through
ioctl() interface. If the driver doesn't check the value of pixclock,
it may cause divide-by-zero error.

Although pixclock is checked in savagefb_decode_var(), but it is not
checked properly in savagefb_probe(). Fix this by checking whether
pixclock is zero in the function savagefb_check_var() before
info->var.pixclock is used as the divisor.

This is similar to CVE-2022-3061 in i740fb which was fixed by
commit 15cf0b8.

Signed-off-by: Fullway Wang <fullwaywang@outlook.com>
Signed-off-by: Helge Deller <deller@gmx.de>
drivers/video/fbdev/savage/savagefb_driver.c patch | blob | history

diff --git a/drivers/video/fbdev/savage/savagefb_driver.c b/drivers/video/fbdev/savage/savagefb_driver.c
index dddd6af..ebc9aef 100644 (file)
--- a/drivers/video/fbdev/savage/savagefb_driver.c
+++ b/drivers/video/fbdev/savage/savagefb_driver.c
@@ -869,6 +869,9 @@ static int savagefb_check_var(struct fb_var_screeninfo   *var,
 
        DBG("savagefb_check_var");
 
+       if (!var->pixclock)
+               return -EINVAL;
+
        var->transp.offset = 0;
        var->transp.length = 0;
        switch (var->bits_per_pixel) {
MicroBlaze GIT Repository