| Message ID | ccd81e47-8635-4e02-84a9-afd19856a2f4@omp.ru |
|---|---|
| State | New |
| Headers | show |
| Series | fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() | expand |
On 5/14/25 22:35, Sergey Shtylyov wrote: > In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, > cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's > then passed to fb_cvt_hperiod(), where it's used as a divider -- division > by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to > avoid such overflow... > > Found by Linux Verification Center (linuxtesting.org) with the Svace static > analysis tool. > > Fixes: 96fe6a2109db ("[PATCH] fbdev: Add VESA Coordinated Video Timings (CVT) support") > Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru> > > --- > The patch is against the master branch of Linus Torvalds' linux.git repo. > > drivers/video/fbdev/core/fbcvt.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) applied. Thanks! Helge
Index: linux/drivers/video/fbdev/core/fbcvt.c =================================================================== --- linux.orig/drivers/video/fbdev/core/fbcvt.c +++ linux/drivers/video/fbdev/core/fbcvt.c @@ -312,7 +312,7 @@ int fb_find_mode_cvt(struct fb_videomode cvt.f_refresh = cvt.refresh; cvt.interlace = 1; - if (!cvt.xres || !cvt.yres || !cvt.refresh) { + if (!cvt.xres || !cvt.yres || !cvt.refresh || cvt.f_refresh > INT_MAX) { printk(KERN_INFO "fbcvt: Invalid input parameters\n"); return 1; }
In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's then passed to fb_cvt_hperiod(), where it's used as a divider -- division by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to avoid such overflow... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Fixes: 96fe6a2109db ("[PATCH] fbdev: Add VESA Coordinated Video Timings (CVT) support") Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru> --- The patch is against the master branch of Linus Torvalds' linux.git repo. drivers/video/fbdev/core/fbcvt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)