From 19f953e7435644b81332dd632ba1b2d80b1e37af Mon Sep 17 00:00:00 2001

From: Letu Ren <fantasquex@gmail.com>

Date: Thu, 18 Aug 2022 18:44:24 +0800

Subject: fbdev: fb_pm2fb: Avoid potential divide by zero error

Git-commit: 19f953e7435644b81332dd632ba1b2d80b1e37af

Patch-mainline: v6.0-rc3

References: bsc#1154048

In `do_fb_ioctl()` of fbmem.c, if cmd is FBIOPUT_VSCREENINFO, var will be

copied from user, then go through `fb_set_var()` and

`info->fbops->fb_check_var()` which could may be `pm2fb_check_var()`.

Along the path, `var->pixclock` won't be modified. This function checks

whether reciprocal of `var->pixclock` is too high. If `var->pixclock` is

zero, there will be a divide by zero error. So, it is necessary to check

whether denominator is zero to avoid crash. As this bug is found by

Syzkaller, logs are listed below.

divide error in pm2fb_check_var

Call Trace:

 <TASK>

 fb_set_var+0x367/0xeb0 drivers/video/fbdev/core/fbmem.c:1015

 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110

 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189

Reported-by: Zheyu Ma <zheyuma97@gmail.com>

Signed-off-by: Letu Ren <fantasquex@gmail.com>

Signed-off-by: Helge Deller <deller@gmx.de>

Acked-by: Thomas Zimmermann <tzimmermann@suse.de>

---

 drivers/video/fbdev/pm2fb.c | 5 +++++

 1 file changed, 5 insertions(+)

diff --git a/drivers/video/fbdev/pm2fb.c b/drivers/video/fbdev/pm2fb.c

index d3be2c64f1c0..8fd79deb1e2a 100644

--- a/drivers/video/fbdev/pm2fb.c

+++ b/drivers/video/fbdev/pm2fb.c

@@ -617,6 +617,11 @@ static int pm2fb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)

 		return -EINVAL;

 	}

+	if (!var->pixclock) {

+		DPRINTK("pixclock is zero\n");

+		return -EINVAL;

+	}

+

 	if (PICOS2KHZ(var->pixclock) > PM2_MAX_PIXCLOCK) {

 		DPRINTK("pixclock too high (%ldKHz)\n",

 			PICOS2KHZ(var->pixclock));

-- 

2.37.3