Re: [PATCH v2] video: fbdev: kyro: fix a DoS bug by restricting user input

On Tue, Jul 20, 2021 at 2:50 AM Sam Ravnborg wrote: > > Hi Zheyu, > On Wed, Jul 14, 2021 at 04:09:22AM +0000, Zheyu Ma wrote: > > The user can pass in any value to the driver through the 'ioctl' > > interface. The driver dost not check, which may cause DoS bugs. &g

[PATCH] video: fbdev: neofb: add a check against divide error

_irqrestore+0x46/0x60 [ 53.094085] ? trace_hardirqs_on+0x6a/0x1c0 [ 53.094096] do_fb_ioctl+0x31e/0x700 Signed-off-by: Zheyu Ma --- drivers/video/fbdev/neofb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/neofb.c b/drivers/video/fbdev/neofb.c index c0f4f402da3f

[PATCH 0/3] add checks against divide error

Zheyu Ma (3): video: fbdev: kyro: add a check against divide error video: fbdev: riva: add a check against divide error video: fbdev: asiliantfb: add a check against divide error drivers/video/fbdev/asiliantfb.c | 3 +++ drivers/video/fbdev/kyro/fbdev.c | 3 +++ drivers/video/fbdev/riva

[PATCH 1/3] video: fbdev: kyro: add a check against divide error

se+0x483/0x810 [ 103.074224] ? __fget_files+0x217/0x3d0 [ 103.074234] ? __fget_files+0x239/0x3d0 [ 103.074243] ? do_fb_ioctl+0x700/0x700 [ 103.074250] fb_ioctl+0xe6/0x130 Signed-off-by: Zheyu Ma --- drivers/video/fbdev/kyro/fbdev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dri

[PATCH 2/3] video: fbdev: riva: add a check against divide error

__mutex_lock+0x620/0x1190 [ 33.397180] ? trace_hardirqs_on+0x6a/0x1c0 [ 33.397190] do_fb_ioctl+0x31e/0x700 Signed-off-by: Zheyu Ma --- drivers/video/fbdev/riva/fbdev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/riva/fbdev.c b/drivers/video/fbdev/riva/f

[PATCH 3/3] video: fbdev: asiliantfb: add a check against divide error

? trace_hardirqs_on+0x6a/0x1c0 [ 43.861978] do_fb_ioctl+0x31e/0x700 Signed-off-by: Zheyu Ma --- drivers/video/fbdev/asiliantfb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/asiliantfb.c b/drivers/video/fbdev/asiliantfb.c index 3e006da47752..84c56f525889 100644

Re: [PATCH 0/3] add checks against divide error

On Mon, Jul 26, 2021 at 4:18 AM Sam Ravnborg wrote: > > Hi Zheyu, > > On Sun, Jul 25, 2021 at 02:10:51AM +0000, Zheyu Ma wrote: > > Zheyu Ma (3): > > video: fbdev: kyro: add a check against divide error > > video: fbdev: riva: add a check against divide error

[PATCH v2 0/3] Error out if 'pixclock' equals zero

Zheyu Ma (3): video: fbdev: asiliantfb: Error out if 'pixclock' equals zero video: fbdev: kyro: Error out if 'pixclock' equals zero video: fbdev: riva: Error out if 'pixclock' equals zero drivers/video/fbdev/asiliantfb.c | 3 +++ drivers/video/fbdev/kyro/

[PATCH v2 1/3] video: fbdev: asiliantfb: Error out if 'pixclock' equals zero

? trace_hardirqs_on+0x6a/0x1c0 [ 43.861978] do_fb_ioctl+0x31e/0x700 Signed-off-by: Zheyu Ma --- Changes in v2: - Make commit log more descriptive --- drivers/video/fbdev/asiliantfb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/asiliantfb.c b/drivers/video

[PATCH v2 2/3] video: fbdev: kyro: Error out if 'pixclock' equals zero

se+0x483/0x810 [ 103.074224] ? __fget_files+0x217/0x3d0 [ 103.074234] ? __fget_files+0x239/0x3d0 [ 103.074243] ? do_fb_ioctl+0x700/0x700 [ 103.074250] fb_ioctl+0xe6/0x130 Signed-off-by: Zheyu Ma --- Changes in v2: - Make commmit log more descriptive --- drivers/video/fbdev/kyro/fbdev.c |

[PATCH v2 3/3] video: fbdev: riva: Error out if 'pixclock' equals zero

__mutex_lock+0x620/0x1190 [ 33.397180] ? trace_hardirqs_on+0x6a/0x1c0 [ 33.397190] do_fb_ioctl+0x31e/0x700 Signed-off-by: Zheyu Ma --- Changes in v2: - Make commit log more descriptive --- drivers/video/fbdev/riva/fbdev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/v

[PATCH] video: fbdev: kyrofb: fix a DoS bug by restricting user input

ideo/fbdev/core/fbmem.c:1185 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x19b/0x220 fs/ioctl.c:739 do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Signed-off-by

[PATCH v2] video: fbdev: kyro: fix a DoS bug by restricting user input

fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x19b/0x220 fs/ioctl.c:739 do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Signed-off-by: Zheyu Ma --- Changes in v2: - Validate

[PATCH] drm/ttm: add a check against null pointer dereference

7.914358 ] radeon_driver_load_kms+0x13a/0x200 [7.914358 ] ? radeon_driver_unload_kms+0xe0/0xe0 [7.914358 ] drm_dev_register+0x1db/0x290 [7.914358 ] radeon_pci_probe+0x16a/0x230 [7.914358 ] local_pci_probe+0x4a/0xb0 Signed-off-by: Zheyu Ma --- drivers/gpu/drm/ttm/ttm_range_manager.c | 3 +

[PATCH] drm: drm_bufs: Error out if 'dev->agp' is a null pointer

/0xae Fix this bug by adding a check. Signed-off-by: Zheyu Ma --- drivers/gpu/drm/drm_bufs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c index fcca21e8efac..4fe2363b1e34 100644 --- a/drivers/gpu/drm/drm_bufs.c +++ b/

Re: [PATCH] drm: drm_bufs: Error out if 'dev->agp' is a null pointer

On Thu, Mar 17, 2022 at 6:49 PM Daniel Vetter wrote: > > On Fri, Mar 11, 2022 at 07:23:02AM +, Zheyu Ma wrote: > > The user program can control the 'drm_buf_desc::flags' via ioctl system > > call and enter the function drm_legacy_addbufs_agp(). If the driver &g

Re: [PATCH] drm: drm_bufs: Error out if 'dev->agp' is a null pointer

On Tue, Mar 22, 2022 at 10:27 PM Daniel Vetter wrote: > > On Mon, Mar 21, 2022 at 09:02:47PM +0800, Zheyu Ma wrote: > > On Thu, Mar 17, 2022 at 6:49 PM Daniel Vetter wrote: > > > > > > On Fri, Mar 11, 2022 at 07:23:02AM +, Zheyu Ma wrote: > >

[BUG] fbdev: sm712fb: Page fault in smtcfb_write()

/0x340 [ 1830.931504] ksys_write+0xce/0x190 [ 1830.931784] do_syscall_64+0x43/0x90 Regards, Zheyu Ma

[BUG] fbdev: sm712fb: Page fault in smtcfb_read

read+0x230/0x3e0 [ 2432.626551] Call Trace: [ 2432.626770] [ 2432.626950] vfs_read+0x198/0xa00 [ 2432.627225] ? do_sys_openat2+0x27d/0x350 [ 2432.627552] ? __fget_light+0x54/0x340 [ 2432.627871] ksys_read+0xce/0x190 [ 2432.628143] do_syscall_64+0x43/0x90 Regards, Zheyu Ma

Re: [BUG] fbdev: sm712fb: Page fault in smtcfb_read

On Sat, Feb 26, 2022 at 11:03 PM Helge Deller wrote: > > * Zheyu Ma : > > I found a minor in the smtcfb_read() function of the driver sm712fb. > > > > This read function can not handle the case that the size of the > > buffer is 3 and does not check for it

[PATCH] video: fbdev: sm712fb: Fix crash in smtcfb_write()

/0x340 ksys_write+0xce/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Fix it by removing the open-coded endianness fixup-code. Signed-off-by: Zheyu Ma --- drivers/video/fbdev/sm712fb.c | 21 - 1 file changed, 4 insertions(+), 17 deletions

Re: [PATCH] video: fbdev: sm712fb: Fix crash in smtcfb_write()

Hi, On Thu, Mar 3, 2022 at 12:49 AM Helge Deller wrote: > > On 3/2/22 15:33, Zheyu Ma wrote: > > When the sm712fb driver writes three bytes to the framebuffer, the > > driver will crash: > > > > BUG: unable to handle page fault for address: c90001ff

[PATCH 2/2] fbdev: fbmem: Fix double free of 'fb_info->pixmap.addr'

3196] cleanup_module+0x15/0x1c [savagefb] [ 37.343543] __se_sys_delete_module+0x398/0x490 [ 37.343881] __x64_sys_delete_module+0x56/0x60 [ 37.344221] do_syscall_64+0x4d/0xc0 [ 37.344492] entry_SYSCALL_64_after_hwframe+0x44/0xae Signed-off-by: Zheyu Ma --- drivers/video/fbdev/core/fbmem.

Re: [PATCH] video: fbdev: cirrusfb: check pixclock to avoid divide by zero

gt; index 93802ab..099ddcb 100644 > > > > --- a/drivers/video/fbdev/cirrusfb.c > > > > +++ b/drivers/video/fbdev/cirrusfb.c > > > > @@ -477,6 +477,9 @@ static int cirrusfb_check_pixclock(const struct fb_var_screeninfo *var, > > > > struct cirrusfb_info *

[PATCH] video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock()

argument of ark_set_pixclock() first. Fixes: 681e14730c73 ("arkfb: new framebuffer driver for ARK Logic cards") Signed-off-by: Zheyu Ma --- drivers/video/fbdev/arkfb.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/arkfb.c b/drivers/vide

[PATCH] video: fbdev: i740fb: Check the argument of i740_calc_vclk()

ev/core/fbmem.c:1189 Fix this by checking the argument of i740_calc_vclk() first. Signed-off-by: Zheyu Ma --- drivers/video/fbdev/i740fb.c | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c index 09dd85553d4f.

Re: [BUG] video: fbdev: arkfb: Found a divide-by-zero bug which may cause DoS

Hi, On Mon, Aug 1, 2022 at 12:35 PM Helge Deller wrote: > > * Zheyu Ma : > > I found a bug in the arkfb driver in the latest kernel, which may cause DoS. > > > > The reason for this bug is that the user controls some input to ioctl, > > making 'mode' 0x7

[PATCH 1/3] video: fbdev: vt8623fb: Check the size of screen before memset_io()

3.339146] fb_set_var+0x604/0xeb0 [ 583.339181] do_fb_ioctl+0x234/0x670 [ 583.339209] fb_ioctl+0xdd/0x130 Fix the this by checking the value of 'screen_size' before memset_io(). Fixes: 558b7bd86c32 ("vt8623fb: new framebuffer driver for VIA VT8623") Signed-off-by: Zheyu Ma ---

[PATCH 2/3] video: fbdev: arkfb: Check the size of screen before memset_io()

9.399130] fb_set_var+0x604/0xeb0 [ 659.399161] do_fb_ioctl+0x234/0x670 [ 659.399189] fb_ioctl+0xdd/0x130 Fix the this by checking the value of 'screen_size' before memset_io(). Fixes: 681e14730c73 ("arkfb: new framebuffer driver for ARK Logic cards") Signed-off-by: Zheyu Ma ---

[PATCH 3/3] video: fbdev: s3fb: Check the size of screen before memset_io()

set_var+0x604/0xeb0 [ 54.083836] do_fb_ioctl+0x234/0x670 Fix the this by checking the value of 'screen_size' before memset_io(). Fixes: a268422de8bf ("[PATCH] fbdev driver for S3 Trio/Virge") Signed-off-by: Zheyu Ma --- drivers/video/fbdev/s3fb.c | 2 ++ 1 file changed, 2 i

[PATCH 0/3] Fix bugs in *_set_par() caused by user input

In the function *_set_par(), the value of 'screen_size' is calculated by the user input. If the user provides the improper value, the value of 'screen_size' may larger than 'info->screen_size', which may cause a bug in the memset_io(). Zheyu Ma (3): video: f

Re: [PATCH 0/3] Fix bugs in *_set_par() caused by user input

Hello, On Thu, Aug 4, 2022 at 10:43 PM Ondrej Zajicek wrote: > > On Thu, Aug 04, 2022 at 08:41:22PM +0800, Zheyu Ma wrote: > > In the function *_set_par(), the value of 'screen_size' is > > calculated by the user input. If the user provides the improper value, > &

[BUG] fbdev: i740fb: Divide error when ‘var->pixclock’ is zero

.c:1112 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] Regards, Zheyu Ma

Re: [BUG] fbdev: i740fb: Divide error when ‘var->pixclock’ is zero

On Sun, Apr 3, 2022, 23:02 Helge Deller wrote: > On 4/3/22 13:26, Zheyu Ma wrote: > > Hi, > > > > I found a bug in the function i740fb_set_par(). > > Nice catch! > > > When the user calls the ioctl system call without setting the value to > > 'var-&

[PATCH 0/7] Fix divide errors in fbdev drivers

rg/all/ypgbhmtlqqb1k...@ravnborg.org/ Zheyu Ma (7): video: fbdev: i740fb: Error out if 'pixclock' equals zero video: fbdev: neofb: Fix the check of 'var->pixclock' video: fbdev: kyro: Error out if 'lineclock' equals zero video: fbdev: vt8623fb: Error out if 'pix

[PATCH 1/7] video: fbdev: i740fb: Error out if 'pixclock' equals zero

0x670 drivers/video/fbdev/core/fbmem.c:1112 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] Signed-off-by: Zheyu Ma --- drivers/video/fbdev/i740fb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dri

[PATCH 2/7] video: fbdev: neofb: Fix the check of 'var->pixclock'

[#1] PREEMPT SMP KASAN PTI [ 49.704593] RIP: 0010:neofb_set_par+0x190f/0x49a0 [ 49.704635] Call Trace: [ 49.704636] [ 49.704650] fb_set_var+0x604/0xeb0 [ 49.704702] do_fb_ioctl+0x234/0x670 [ 49.704745] fb_ioctl+0xdd/0x130 [ 49.704753] do_syscall_64+0x3b/0x90 Signed-off-by: Zhe

[PATCH 3/7] video: fbdev: kyro: Error out if 'lineclock' equals zero

error: [#1] PREEMPT SMP KASAN PTI [ 33.404932] RIP: 0010:kyrofb_set_par+0x30d/0xd80 [ 33.404976] Call Trace: [ 33.404978] [ 33.404987] fb_set_var+0x604/0xeb0 [ 33.405038] do_fb_ioctl+0x234/0x670 [ 33.405083] fb_ioctl+0xdd/0x130 [ 33.405091] do_syscall_64+0x3b/0x90

[PATCH 4/7] video: fbdev: vt8623fb: Error out if 'pixclock' equals zero

do_syscall_64+0x3b/0x90 Signed-off-by: Zheyu Ma --- drivers/video/fbdev/vt8623fb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/vt8623fb.c b/drivers/video/fbdev/vt8623fb.c index 7a959e5ba90b..a92a8c670cf0 100644 --- a/drivers/video/fbdev/vt8623fb.c +++ b/drive

[PATCH 5/7] video: fbdev: tridentfb: Error out if 'pixclock' equals zero

or: [#1] PREEMPT SMP KASAN PTI [ 38.260733] RIP: 0010:tridentfb_check_var+0x853/0xe60 [ 38.260791] Call Trace: [ 38.260793] [ 38.260796] fb_set_var+0x367/0xeb0 [ 38.260879] do_fb_ioctl+0x234/0x670 [ 38.260922] fb_ioctl+0xdd/0x130 [ 38.260930] do_syscall_64+0x3b/0x90

[PATCH 6/7] video: fbdev: arkfb: Error out if 'pixclock' equals zero

or: [#1] PREEMPT SMP KASAN PTI [ 76.603712] RIP: 0010:arkfb_set_par+0x10fc/0x24f0 [ 76.603762] Call Trace: [ 76.603764] [ 76.603773] fb_set_var+0x604/0xeb0 [ 76.603827] do_fb_ioctl+0x234/0x670 [ 76.603873] fb_ioctl+0xdd/0x130 [ 76.603881] do_syscall_64+0x3b/0x90 Signed-off-b

[PATCH 7/7] video: fbdev: s3fb: Error out if 'pixclock' equals zero

+0x3b/0x90 Signed-off-by: Zheyu Ma --- drivers/video/fbdev/s3fb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/s3fb.c b/drivers/video/fbdev/s3fb.c index 5c74253e7b2c..b93c8eb02336 100644 --- a/drivers/video/fbdev/s3fb.c +++ b/drivers/video/fbdev/s3fb.c @@ -5

Re: [BUG] fbdev: i740fb: Divide error when ‘var->pixclock’ is zero

>>> > >>> On Sun, Apr 3, 2022 at 5:41 PM Helge Deller wrote: > >>>> On 4/3/22 13:26, Zheyu Ma wrote: > >>>>> I found a bug in the function i740fb_set_par(). > >>>> > >>>> Nice catch! > >>>> > >>

Re: [PATCH 1/7] video: fbdev: i740fb: Error out if 'pixclock' equals zero

On Fri, Apr 8, 2022 at 3:50 AM Helge Deller wrote: > > On 4/4/22 10:47, Zheyu Ma wrote: > > The userspace program could pass any values to the driver through > > ioctl() interface. If the driver doesn't check the value of 'pixclock', > > it may cause div

[PATCH v2] drm/bridge: megachips: Fix a null pointer dereference bug

idges are probed before registration") Signed-off-by: Zheyu Ma --- Changes in v2: - Alignment format --- drivers/gpu/drm/bridge/megachips-stdp-ge-b850v3-fw.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/megachips-stdp-ge-b850

Re: [PATCH] drm/bridge: megachips: Fix a null pointer dereference bug

Hi Robert, On Mon, Aug 29, 2022 at 11:03 PM Robert Foss wrote: > > On Sat, 16 Jul 2022 at 10:13, Zheyu Ma wrote: > > > > When removing the module we will get the following warning: > > > > [ 31.911505] i2c-core: driver [stdp2690-ge-b850v3-fw] unregiste

[PATCH] drm/bridge: megachips: Fix a null pointer dereference bug

, stdp4028) do not probe at the same time, so the driver does not call ge_b850v3_resgiter() when probing, causing the driver to try to remove the object that has not been initialized. Fix this by checking whether both the bridges are probed. Signed-off-by: Zheyu Ma --- drivers/gpu/drm/bridge/megachips

[BUG] most: usb: Found a bug at the probe time

> 0b 49 8d 5f 38 48 89 df be 04 00 00 00 e8 df 2e 73 ff b8 ff ff [ 15.416529] Call Trace: [ 15.416896] hdm_probe+0xf3d/0x1090 [most_usb] Since I'm not familiar with the driver, I ask for your help to solve the warning. regards, Zheyu Ma

[BUG] video: fbdev: arkfb: Found a divide-by-zero bug which may cause DoS

< 0) { perror("Failed to call the ioctl"); return 1; } return 0; } The easiest patch is to check the value of the argument 'pixclock' in the ark_set_pixclock function, but this is perhaps too late, should we do this check earlier? I'm not sure, so I'll report this bug to you. regards, Zheyu Ma