kernel / kernel-source

Clone
Source Code
GIT

Blame patches.suse/0008-video-fbdev-vt8623fb-Check-the-size-of-screen-before.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   b235394bf2037df9f56f6607125209ebbd355c7c
  2.   patches.suse
  3.   0008-video-fbdev-vt8623fb-Check-the-size-of-screen-before.patch
Blob History Raw
Thomas Zimmermann 8e21ba 
From ec0754c60217248fa77cc9005d66b2b55200ac06 Mon Sep 17 00:00:00 2001
Thomas Zimmermann 8e21ba 
From: Zheyu Ma <zheyuma97@gmail.com>
Thomas Zimmermann 8e21ba 
Date: Thu, 4 Aug 2022 20:41:23 +0800
Thomas Zimmermann 8e21ba 
Subject: video: fbdev: vt8623fb: Check the size of screen before memset_io()
Thomas Zimmermann 8e21ba 
Git-commit: ec0754c60217248fa77cc9005d66b2b55200ac06
Thomas Zimmermann 8e21ba 
Patch-mainline: v6.0-rc1
Thomas Zimmermann 8e21ba 
References: bsc#1154048
Thomas Zimmermann 8e21ba
Thomas Zimmermann 8e21ba 
In the function vt8623fb_set_par(), the value of 'screen_size' is
Thomas Zimmermann 8e21ba 
calculated by the user input. If the user provides the improper value,
Thomas Zimmermann 8e21ba 
the value of 'screen_size' may larger than 'info->screen_size', which
Thomas Zimmermann 8e21ba 
may cause the following bug:
Thomas Zimmermann 8e21ba
Thomas Zimmermann 8e21ba 
[  583.339036] BUG: unable to handle page fault for address: ffffc90005000000
Thomas Zimmermann 8e21ba 
[  583.339049] #PF: supervisor write access in kernel mode
Thomas Zimmermann 8e21ba 
[  583.339052] #PF: error_code(0x0002) - not-present page
Thomas Zimmermann 8e21ba 
[  583.339074] RIP: 0010:memset_orig+0x33/0xb0
Thomas Zimmermann 8e21ba 
[  583.339110] Call Trace:
Thomas Zimmermann 8e21ba 
[  583.339118]  vt8623fb_set_par+0x11cd/0x21e0
Thomas Zimmermann 8e21ba 
[  583.339146]  fb_set_var+0x604/0xeb0
Thomas Zimmermann 8e21ba 
[  583.339181]  do_fb_ioctl+0x234/0x670
Thomas Zimmermann 8e21ba 
[  583.339209]  fb_ioctl+0xdd/0x130
Thomas Zimmermann 8e21ba
Thomas Zimmermann 8e21ba 
Fix the this by checking the value of 'screen_size' before memset_io().
Thomas Zimmermann 8e21ba
Thomas Zimmermann 8e21ba 
Fixes: 558b7bd86c32 ("vt8623fb: new framebuffer driver for VIA VT8623")
Thomas Zimmermann 8e21ba 
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Thomas Zimmermann 8e21ba 
Signed-off-by: Helge Deller <deller@gmx.de>
Thomas Zimmermann 8e21ba 
Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
Thomas Zimmermann 8e21ba 
---
Thomas Zimmermann 8e21ba 
 drivers/video/fbdev/vt8623fb.c | 2 ++
Thomas Zimmermann 8e21ba 
 1 file changed, 2 insertions(+)
Thomas Zimmermann 8e21ba
Thomas Zimmermann 8e21ba 
diff --git a/drivers/video/fbdev/vt8623fb.c b/drivers/video/fbdev/vt8623fb.c
Thomas Zimmermann 8e21ba 
index a92a8c670cf0..4274c6efb249 100644
Thomas Zimmermann 8e21ba 
--- a/drivers/video/fbdev/vt8623fb.c
Thomas Zimmermann 8e21ba 
+++ b/drivers/video/fbdev/vt8623fb.c
Thomas Zimmermann 8e21ba 
@@ -507,6 +507,8 @@ static int vt8623fb_set_par(struct fb_info *info)
Thomas Zimmermann 8e21ba 
 			 (info->var.vmode & FB_VMODE_DOUBLE) ? 2 : 1, 1,
Thomas Zimmermann 8e21ba 
 			 1, info->node);
Thomas Zimmermann 8e21ba
Thomas Zimmermann 8e21ba 
+	if (screen_size > info->screen_size)
Thomas Zimmermann 8e21ba 
+		screen_size = info->screen_size;
Thomas Zimmermann 8e21ba 
 	memset_io(info->screen_base, 0x00, screen_size);
Thomas Zimmermann 8e21ba
Thomas Zimmermann 8e21ba 
 	/* Device and screen back on */
Thomas Zimmermann 8e21ba 
--
Thomas Zimmermann 8e21ba 
2.37.3
Thomas Zimmermann 8e21ba
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.