[PATCH] video: fbdev: sis: Error out if pixclock equals zero

From: Fullway Wang
Date: Thu Jan 18 2024 - 01:25:10 EST

Next message: Cheng Nie: "[PATCH] ext4: fix the comment of ext4_map_blocks()/ext4_ext_map_blocks()"
Previous message: Yosry Ahmed: "Re: [PATCH 1/2] mm: zswap.c: add xarray tree to zswap"
Next in thread: Helge Deller: "Re: [PATCH] video: fbdev: sis: Error out if pixclock equals zero"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The userspace program could pass any values to the driver through
ioctl() interface. If the driver doesn't check the value of pixclock,
it may cause divide-by-zero error.

In sisfb_check_var(), var->pixclock is used as a divisor to caculate
drate before it is checked against zero. Fix this by checking it
at the beginning.

This is similar to CVE-2022-3061 in i740fb which was fixed by
commit 15cf0b8.

Signed-off-by: Fullway Wang <fullwaywang@xxxxxxxxxxx>
---
drivers/video/fbdev/sis/sis_main.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/video/fbdev/sis/sis_main.c b/drivers/video/fbdev/sis/sis_main.c
index 803ccb6aa479..009bf1d92644 100644
--- a/drivers/video/fbdev/sis/sis_main.c
+++ b/drivers/video/fbdev/sis/sis_main.c
@@ -1444,6 +1444,8 @@ sisfb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)

vtotal = var->upper_margin + var->lower_margin + var->vsync_len;

+ if (!var->pixclock)
+ return -EINVAL;
pixclock = var->pixclock;

if((var->vmode & FB_VMODE_MASK) == FB_VMODE_NONINTERLACED) {
--
2.39.3 (Apple Git-145)

Next message: Cheng Nie: "[PATCH] ext4: fix the comment of ext4_map_blocks()/ext4_ext_map_blocks()"
Previous message: Yosry Ahmed: "Re: [PATCH 1/2] mm: zswap.c: add xarray tree to zswap"
Next in thread: Helge Deller: "Re: [PATCH] video: fbdev: sis: Error out if pixclock equals zero"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]