From: Zheyu Ma <zheyuma97@gmail.com>
To: Helge Deller <deller@gmx.de>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>,
Linux Fbdev development list <linux-fbdev@vger.kernel.org>,
DRI Development <dri-devel@lists.freedesktop.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [BUG] video: fbdev: arkfb: Found a divide-by-zero bug which may cause DoS
Date: Wed, 3 Aug 2022 17:26:51 +0800 [thread overview]
Message-ID: <CAMhUBjk-nounZeqN3xq1Yp7+YG=iG+L2_3e1JOnWTJasiups-w@mail.gmail.com> (raw)
In-Reply-To: <YudX0t/P94a0LKtr@ls3530>
Hi,
On Mon, Aug 1, 2022 at 12:35 PM Helge Deller <deller@gmx.de> wrote:
>
> * Zheyu Ma <zheyuma97@gmail.com>:
> > I found a bug in the arkfb driver in the latest kernel, which may cause DoS.
> >
> > The reason for this bug is that the user controls some input to ioctl,
> > making 'mode' 0x7 on line 704, which causes hdiv = 1, hmul = 2, and if
> > the pixclock is controlled to be 1, it will cause a division error in
> > the function ark_set_pixclock().
>
> You are right.
> I see in:
> drivers/video/fbdev/arkfb.c:784: ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul);
> with hdiv=1, pixclock=1 and hmul=2 you end up with (1*1)/2 = (int) 0.
> and then in
> drivers/video/fbdev/arkfb.c:504: rv = dac_set_freq(par->dac, 0, 1000000000 / pixclock);
> you'll get a division-by-zero.
>
> > The easiest patch is to check the value of the argument 'pixclock' in
> > the ark_set_pixclock function, but this is perhaps too late, should we
> > do this check earlier? I'm not sure, so I'll report this bug to you.
>
> Yes, I think it should be done earlier.
>
> Geert always mentioned that an invalid pixclock from userspace should be
> rounded up to the next valid pixclock.
> But since I don't have that hardware, I'm not sure how this can be done
> best for this driver.
>
> Do you have the hardware to test?
> If so, could you check the patch below?
Thanks for your patch, it works for me :)
> It should at least prevent the division-by-zero.
> If it works, I'm happy if you could send a final patch...
I've sent a patch to the mailing list, thanks again for your reminder.
regards,
Zheyu Ma
WARNING: multiple messages have this Message-ID (diff)
From: Zheyu Ma <zheyuma97@gmail.com>
To: Helge Deller <deller@gmx.de>
Cc: Linux Fbdev development list <linux-fbdev@vger.kernel.org>,
Geert Uytterhoeven <geert@linux-m68k.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
DRI Development <dri-devel@lists.freedesktop.org>
Subject: Re: [BUG] video: fbdev: arkfb: Found a divide-by-zero bug which may cause DoS
Date: Wed, 3 Aug 2022 17:26:51 +0800 [thread overview]
Message-ID: <CAMhUBjk-nounZeqN3xq1Yp7+YG=iG+L2_3e1JOnWTJasiups-w@mail.gmail.com> (raw)
In-Reply-To: <YudX0t/P94a0LKtr@ls3530>
Hi,
On Mon, Aug 1, 2022 at 12:35 PM Helge Deller <deller@gmx.de> wrote:
>
> * Zheyu Ma <zheyuma97@gmail.com>:
> > I found a bug in the arkfb driver in the latest kernel, which may cause DoS.
> >
> > The reason for this bug is that the user controls some input to ioctl,
> > making 'mode' 0x7 on line 704, which causes hdiv = 1, hmul = 2, and if
> > the pixclock is controlled to be 1, it will cause a division error in
> > the function ark_set_pixclock().
>
> You are right.
> I see in:
> drivers/video/fbdev/arkfb.c:784: ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul);
> with hdiv=1, pixclock=1 and hmul=2 you end up with (1*1)/2 = (int) 0.
> and then in
> drivers/video/fbdev/arkfb.c:504: rv = dac_set_freq(par->dac, 0, 1000000000 / pixclock);
> you'll get a division-by-zero.
>
> > The easiest patch is to check the value of the argument 'pixclock' in
> > the ark_set_pixclock function, but this is perhaps too late, should we
> > do this check earlier? I'm not sure, so I'll report this bug to you.
>
> Yes, I think it should be done earlier.
>
> Geert always mentioned that an invalid pixclock from userspace should be
> rounded up to the next valid pixclock.
> But since I don't have that hardware, I'm not sure how this can be done
> best for this driver.
>
> Do you have the hardware to test?
> If so, could you check the patch below?
Thanks for your patch, it works for me :)
> It should at least prevent the division-by-zero.
> If it works, I'm happy if you could send a final patch...
I've sent a patch to the mailing list, thanks again for your reminder.
regards,
Zheyu Ma
next prev parent reply other threads:[~2022-08-03 9:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-27 9:07 [BUG] video: fbdev: arkfb: Found a divide-by-zero bug which may cause DoS Zheyu Ma
2022-07-27 9:07 ` Zheyu Ma
2022-08-01 4:34 ` Helge Deller
2022-08-03 9:26 ` Zheyu Ma [this message]
2022-08-03 9:26 ` Zheyu Ma
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMhUBjk-nounZeqN3xq1Yp7+YG=iG+L2_3e1JOnWTJasiups-w@mail.gmail.com' \
--to=zheyuma97@gmail.com \
--cc=deller@gmx.de \
--cc=dri-devel@lists.freedesktop.org \
--cc=geert@linux-m68k.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.