| Message ID | 20250614051837.3544959-1-alexguo1023@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | fbdev: i740: Fix potential divide by zero | expand |
On Sat, 14 Jun 2025 01:18:37 -0400 Alex Guo <alexguo1023@gmail.com> wrote: > Variable var->pixclock can be set by user. In case it equals to > zero, divide by zero would occur in 4 switch branches in > i740fb_decode_var. > Similar crashes have happened in other fbdev drivers. We fix this > by checking whether 'pixclock' is zero. Doesn't it already hit the 'default' clause of the switch statement? David > > Similar commit: commit 16844e58704 ("video: fbdev: tridentfb: > Error out if 'pixclock' equals zero") > > Signed-off-by: Alex Guo <alexguo1023@gmail.com> > --- > drivers/video/fbdev/i740fb.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c > index 9b74dae71472..861e9e397b4e 100644 > --- a/drivers/video/fbdev/i740fb.c > +++ b/drivers/video/fbdev/i740fb.c > @@ -419,6 +419,10 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var, > > > bpp = var->bits_per_pixel; > + if (!var->pixclock){ > + dev_err(info->device, "pixclock must not be zero\n"); > + return -EINVAL; > + } > switch (bpp) { > case 1 ... 8: > bpp = 8;
On Sun, 15 Jun 2025 16:43:58 -0400 Jin D <alexguo1023@gmail.com> wrote: > > bpp = var->bits_per_pixel; > > + if (!var->pixclock){ > > + dev_err(info->device, "pixclock must not be zero\n"); > > + return -EINVAL; > > + } > > switch (bpp) { > > case 1 ... 8: > > bpp = 8; > > The value used in the switch condition is var->bits_per_pixel. I can not > find a deterministic relationship between var->bits_per_pixel and > var->pixclock. Brain-fade ... > > On Sun, Jun 15, 2025 at 4:30 AM David Laight <david.laight.linux@gmail.com> > wrote: > > > On Sat, 14 Jun 2025 01:18:37 -0400 > > Alex Guo <alexguo1023@gmail.com> wrote: > > > > > Variable var->pixclock can be set by user. In case it equals to > > > zero, divide by zero would occur in 4 switch branches in > > > i740fb_decode_var. > > > Similar crashes have happened in other fbdev drivers. We fix this > > > by checking whether 'pixclock' is zero. > > > > Doesn't it already hit the 'default' clause of the switch statement? > > > > David > > > > > > > > Similar commit: commit 16844e58704 ("video: fbdev: tridentfb: > > > Error out if 'pixclock' equals zero") > > > > > > Signed-off-by: Alex Guo <alexguo1023@gmail.com> > > > --- > > > drivers/video/fbdev/i740fb.c | 4 ++++ > > > 1 file changed, 4 insertions(+) > > > > > > diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c > > > index 9b74dae71472..861e9e397b4e 100644 > > > --- a/drivers/video/fbdev/i740fb.c > > > +++ b/drivers/video/fbdev/i740fb.c > > > @@ -419,6 +419,10 @@ static int i740fb_decode_var(const struct > > fb_var_screeninfo *var, > > > > > > > > > bpp = var->bits_per_pixel; > > > + if (!var->pixclock){ > > > + dev_err(info->device, "pixclock must not be zero\n"); > > > + return -EINVAL; > > > + } > > > switch (bpp) { > > > case 1 ... 8: > > > bpp = 8; > > > >
diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c index 9b74dae71472..861e9e397b4e 100644 --- a/drivers/video/fbdev/i740fb.c +++ b/drivers/video/fbdev/i740fb.c @@ -419,6 +419,10 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var, bpp = var->bits_per_pixel; + if (!var->pixclock){ + dev_err(info->device, "pixclock must not be zero\n"); + return -EINVAL; + } switch (bpp) { case 1 ... 8: bpp = 8;
Variable var->pixclock can be set by user. In case it equals to zero, divide by zero would occur in 4 switch branches in i740fb_decode_var. Similar crashes have happened in other fbdev drivers. We fix this by checking whether 'pixclock' is zero. Similar commit: commit 16844e58704 ("video: fbdev: tridentfb: Error out if 'pixclock' equals zero") Signed-off-by: Alex Guo <alexguo1023@gmail.com> --- drivers/video/fbdev/i740fb.c | 4 ++++ 1 file changed, 4 insertions(+)