From 825712b09b1658be88d3fab38180bb9dbe6f43f5 Mon Sep 17 00:00:00 2001

From: Zheyu Ma <zheyuma97@gmail.com>

Date: Mon, 26 Jul 2021 10:03:54 +0000

Subject: [PATCH] video: fbdev: kyro: Error out if 'pixclock' equals zero

Git-commit: 1520b4b7ba964f8eec2e7dd14c571d50de3e5191

Patch-mainline: v5.15-rc1

References: stable-5.14.6

[ Upstream commit 1520b4b7ba964f8eec2e7dd14c571d50de3e5191 ]

The userspace program could pass any values to the driver through

ioctl() interface. if the driver doesn't check the value of 'pixclock',

it may cause divide error because the value of 'lineclock' and

'frameclock' will be zero.

Fix this by checking whether 'pixclock' is zero in kyrofb_check_var().

The following log reveals it:

[  103.073930] divide error: 0000 [#1] PREEMPT SMP KASAN PTI

[  103.073942] CPU: 4 PID: 12483 Comm: syz-executor Not tainted 5.14.0-rc2-00478-g2734d6c1b1a0-dirty #118

[  103.073959] RIP: 0010:kyrofb_set_par+0x316/0xc80

[  103.074045] Call Trace:

[  103.074048]  ? ___might_sleep+0x1ee/0x2d0

[  103.074060]  ? kyrofb_ioctl+0x330/0x330

[  103.074069]  fb_set_var+0x5bf/0xeb0

[  103.074078]  ? fb_blank+0x1a0/0x1a0

[  103.074085]  ? lock_acquire+0x3bd/0x530

[  103.074094]  ? lock_release+0x810/0x810

[  103.074103]  ? ___might_sleep+0x1ee/0x2d0

[  103.074114]  ? __mutex_lock+0x620/0x1190

[  103.074126]  ? trace_hardirqs_on+0x6a/0x1c0

[  103.074137]  do_fb_ioctl+0x31e/0x700

[  103.074144]  ? fb_getput_cmap+0x280/0x280

[  103.074152]  ? rcu_read_lock_sched_held+0x11/0x80

[  103.074162]  ? rcu_read_lock_sched_held+0x11/0x80

[  103.074171]  ? __sanitizer_cov_trace_switch+0x67/0xf0

[  103.074181]  ? __sanitizer_cov_trace_const_cmp2+0x20/0x80

[  103.074191]  ? do_vfs_ioctl+0x14b/0x16c0

[  103.074199]  ? vfs_fileattr_set+0xb60/0xb60

[  103.074207]  ? rcu_read_lock_sched_held+0x11/0x80

[  103.074216]  ? lock_release+0x483/0x810

[  103.074224]  ? __fget_files+0x217/0x3d0

[  103.074234]  ? __fget_files+0x239/0x3d0

[  103.074243]  ? do_fb_ioctl+0x700/0x700

[  103.074250]  fb_ioctl+0xe6/0x130

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>

Signed-off-by: Sam Ravnborg <sam@ravnborg.org>

Link: https://patchwork.freedesktop.org/patch/msgid/1627293835-17441-3-git-send-email-zheyuma97@gmail.com

Signed-off-by: Sasha Levin <sashal@kernel.org>

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 drivers/video/fbdev/kyro/fbdev.c | 3 +++

 1 file changed, 3 insertions(+)

diff --git a/drivers/video/fbdev/kyro/fbdev.c b/drivers/video/fbdev/kyro/fbdev.c

index 4b8c7c16b1df..25801e8e3f74 100644

--- a/drivers/video/fbdev/kyro/fbdev.c

+++ b/drivers/video/fbdev/kyro/fbdev.c

@@ -399,6 +399,9 @@ static int kyrofb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)

 {

 	struct kyrofb_info *par = info->par;

+	if (!var->pixclock)

+		return -EINVAL;

+

 	if (var->bits_per_pixel != 16 && var->bits_per_pixel != 32) {

 		printk(KERN_WARNING "kyrofb: depth not supported: %u\n", var->bits_per_pixel);

 		return -EINVAL;

-- 

2.26.2