From patchwork Thu Oct 13 22:11:05 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John Cabaj <john.cabaj@canonical.com>
X-Patchwork-Id: 1689805
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=WGIL9GXx;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4MpNzS2mbQz23jf
	for <incoming@patchwork.ozlabs.org>; Fri, 14 Oct 2022 09:12:03 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1oj6Qb-0004yx-6o; Thu, 13 Oct 2022 22:11:45 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <john.cabaj@canonical.com>) id 1oj6QY-0004yp-Gf
 for kernel-team@lists.ubuntu.com; Thu, 13 Oct 2022 22:11:42 +0000
Received: from mail-oa1-f70.google.com (mail-oa1-f70.google.com
 [209.85.160.70])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id E5E523F472
 for <kernel-team@lists.ubuntu.com>; Thu, 13 Oct 2022 22:11:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1665699101;
 bh=zvgm6RTqU2cEqDpw37sqhEQvCuNc+u5nNPVRr2KnchA=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=WGIL9GXxRL05I0K2PAoGvzsme4a9axe0EaT7MUJgF8yWQ79n/AAAjjrELi21abX2B
 nF8Hg+eR1saizPVsT/NPoF8sDW14kZ7uUaDyDRrl02bOVYM4eVLh4h9QZztEIMDelx
 BBYU/8m2QRQOxNfacM3CQ3x/pNQwyC2O3sCn6+5JwrlwYBQOI8qEEiErgXTP/HRPaw
 I7Z2Pc0ukdNM4EStWp0gDMbuFxNVeELYY/P/R1RBQ9NzE8vZwkxXsNoWRKwLEKlmmY
 +Rgr/cEAOcy1kzgHr6TmrQQ9bjOsRjm+OUziIh1x31SlallSi8HYjn60dIErXmcyuG
 kg73d/R4oL3yA==
Received: by mail-oa1-f70.google.com with SMTP id
 586e51a60fabf-132254f73bdso1679805fac.14
 for <kernel-team@lists.ubuntu.com>; Thu, 13 Oct 2022 15:11:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=zvgm6RTqU2cEqDpw37sqhEQvCuNc+u5nNPVRr2KnchA=;
 b=8Mp89+ywcJKNUoRL3YS3lOEpTLm6fi7AFInfZYFT2H32+OrSrE51641guYlGQYKn9Y
 e6OjroEk459ibDodtnYJCSh11nMWId4DDavE9Wj9mlMh4Q5J1TOTPPAoEXZ3s6+sr+sA
 4zq+UTQwMRQtrHSXXe8iN6Hf8kdgpZA+HZXJWLOSfZq1yVb3vu5R4rwaY4DMbkziBFcj
 9ZJ+eCG/SJcSSqyFE6w1NgmJDvWzX0eULvQwygO5QDUuSYVI0jIZkSuIoAIypdknmA2c
 HD8cqOmTBP8yqncE6FDP3L2NuHiJ8O+kJy5hghJgdYEke97cnwT1Jh2sM6it5z1G+6CA
 4reg==
X-Gm-Message-State: ACrzQf2ntrTPly8ZD4yKbL0xUcfbHTI9FtbEj3Q6p6rYBPniv7l6gYD1
 XtNYCeOAytNPMukMROOcuHU/DzPL+zYysktIFYAef/W/bzLEU3bfIKbLCXvpC/X3ZKQmLJL1xI+
 Zv8cd3yXv3eFN8wlQVfgSq6oQdBKJVt/4UYonqYsnkg==
X-Received: by 2002:a05:6870:d209:b0:133:dea2:45e4 with SMTP id
 g9-20020a056870d20900b00133dea245e4mr7202521oac.77.1665699100692;
 Thu, 13 Oct 2022 15:11:40 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM4ThzJc3LCynELaW9YToVtiKa8KzR5V8Jjns7A0OnzCrR7GnnrRQUoi9myXX6cQpVvtlTC5uA==
X-Received: by 2002:a05:6870:d209:b0:133:dea2:45e4 with SMTP id
 g9-20020a056870d20900b00133dea245e4mr7202516oac.77.1665699100467;
 Thu, 13 Oct 2022 15:11:40 -0700 (PDT)
Received: from localhost.localdomain (068-118-156-024.res.spectrum.com.
 [68.118.156.24]) by smtp.gmail.com with ESMTPSA id
 z7-20020a056870e30700b0012c52bd4369sm615536oad.19.2022.10.13.15.11.39
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 13 Oct 2022 15:11:40 -0700 (PDT)
From: John Cabaj <john.cabaj@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Jammy][PATCH](upstream) video: fbdev: i740fb: Error out if
 'pixclock' equals zero
Date: Thu, 13 Oct 2022 17:11:05 -0500
Message-Id: <20221013221105.171883-1-john.cabaj@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20221013220824.171430-1-john.cabaj@canonical.com>
References: <20221013220824.171430-1-john.cabaj@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Zheyu Ma <zheyuma97@gmail.com>

CVE-2022-3061

The userspace program could pass any values to the driver through
ioctl() interface. If the driver doesn't check the value of 'pixclock',
it may cause divide error.

Fix this by checking whether 'pixclock' is zero in the function
i740fb_check_var().

The following log reveals it:

divide error: 0000 [#1] PREEMPT SMP KASAN PTI
RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:444 [inline]
RIP: 0010:i740fb_set_par+0x272f/0x3bb0 drivers/video/fbdev/i740fb.c:739
Call Trace:
    fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1036
    do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1112
    fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:874 [inline]

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 15cf0b82271b1823fb02ab8c377badba614d95d5)
Signed-off-by: John Cabaj <john.cabaj@canonical.com>
---
 drivers/video/fbdev/i740fb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c
index ad5ced4ef972..8fb4e01e1943 100644
--- a/drivers/video/fbdev/i740fb.c
+++ b/drivers/video/fbdev/i740fb.c
@@ -662,6 +662,9 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var,
 
 static int i740fb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
 {
+	if (!var->pixclock)
+		return -EINVAL;
+
 	switch (var->bits_per_pixel) {
 	case 8:
 		var->red.offset	= var->green.offset = var->blue.offset = 0;