diff options
| author | Fullway Wang <fullwaywang@outlook.com> | 2024-01-18 06:49:40 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-03-01 15:34:48 +0300 |
| commit | bc3c2e58d73b28b9a8789fca84778ee165a72d13 (patch) | |
| tree | 199577b2151869b33a5f6592014ec74996ce9f1a /drivers/video/fbdev | |
| parent | 54b79d8786964e2f840e8a2ec4a9f9a50f3d4954 (diff) | |
| download | linux-bc3c2e58d73b28b9a8789fca84778ee165a72d13.tar.xz | |
fbdev: savage: Error out if pixclock equals zero
[ Upstream commit 04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288 ]
The userspace program could pass any values to the driver through
ioctl() interface. If the driver doesn't check the value of pixclock,
it may cause divide-by-zero error.
Although pixclock is checked in savagefb_decode_var(), but it is not
checked properly in savagefb_probe(). Fix this by checking whether
pixclock is zero in the function savagefb_check_var() before
info->var.pixclock is used as the divisor.
This is similar to CVE-2022-3061 in i740fb which was fixed by
commit 15cf0b8.
Signed-off-by: Fullway Wang <fullwaywang@outlook.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/video/fbdev')
| -rw-r--r-- | drivers/video/fbdev/savage/savagefb_driver.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/video/fbdev/savage/savagefb_driver.c b/drivers/video/fbdev/savage/savagefb_driver.c index b5f84bd4804b..4ba5cd55e5a5 100644 --- a/drivers/video/fbdev/savage/savagefb_driver.c +++ b/drivers/video/fbdev/savage/savagefb_driver.c @@ -869,6 +869,9 @@ static int savagefb_check_var(struct fb_var_screeninfo *var, DBG("savagefb_check_var"); + if (!var->pixclock) + return -EINVAL; + var->transp.offset = 0; var->transp.length = 0; switch (var->bits_per_pixel) { |