From patchwork Fri Oct 14 00:00:47 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John Cabaj <john.cabaj@canonical.com>
X-Patchwork-Id: 1689827
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=ENyYVQqI;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4MpRPF2gxhz23kC
	for <incoming@patchwork.ozlabs.org>; Fri, 14 Oct 2022 11:01:04 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1oj88D-0007fs-KU; Fri, 14 Oct 2022 00:00:53 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <john.cabaj@canonical.com>) id 1oj88B-0007fZ-3J
 for kernel-team@lists.ubuntu.com; Fri, 14 Oct 2022 00:00:51 +0000
Received: from mail-il1-f199.google.com (mail-il1-f199.google.com
 [209.85.166.199])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id C4A623F116
 for <kernel-team@lists.ubuntu.com>; Fri, 14 Oct 2022 00:00:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1665705650;
 bh=zvgm6RTqU2cEqDpw37sqhEQvCuNc+u5nNPVRr2KnchA=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=ENyYVQqIsoiTz5boNnzlU5q4ldywFqnowcVuGWA8tFvcK6+3Wq7QjAGJ+CXwlenZq
 fLTED8f9sTf5U6IEHt6szrwy9rtZ7pSsG56nGdmbxcGt4u5GLRR88IgkHX5Ms15T0h
 MjOmD5IfCfryHufXhl4SYBVnLpAw1l6qidsx1OI+A27+kQKrcT5YWWpfY+D2uhL4QO
 N1GstCcgPjB1c63yqU6IbVyeQoYJ4zqfkfhXbTJ5HTTwbxySrzmBzSgc1spLiRSm01
 aCmVre2lAfD8KowylJJRhXfSBvwCzc7/ulek6e/HCJoYcLPzgwsq7n/G26UVTjyFGv
 by7nqQhJ4Pehg==
Received: by mail-il1-f199.google.com with SMTP id
 a17-20020a921a11000000b002fadf952565so2776194ila.0
 for <kernel-team@lists.ubuntu.com>; Thu, 13 Oct 2022 17:00:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=zvgm6RTqU2cEqDpw37sqhEQvCuNc+u5nNPVRr2KnchA=;
 b=gN0lyBiPvCO/XxDMDw94FBFMHoB9BjjoMHYTUpFuyBl6e2aQF4vgy0txYMloz9/f03
 P3daYbFwZWV3zRE8rIfTZQFg3qskBx2+MLG4wDpLw8CgPyJsi10rTA58xR2FzZbpS2cj
 F1s/PDGHrpLjjZX74z2QQtrdb1aQxA9iWNAiYrDOe+A1OH1sMB369VbM1c+6VlWOvIM+
 0BgZdkYEjWFOLpvf3INUBPzyruiwGE1yTG+laX7LPTX8Lk1ZtXLjxG/btee0nF07nf98
 OA7hFxXbrM1Z3k1Ff04IJVHKPabY8+X9oLT83GmCY4YdThpYySRxeDTzvGGUOK/Z8HF/
 w9fA==
X-Gm-Message-State: ACrzQf0rca1K+lZ2TE/AHQ2Qy+tkmkIRd23PY7rdrxXml+2rff9nq0Xe
 Tk+RpKfZAIWqgNnjHOCoAeJEJBGB6lxnz+w4/iU7o1r5mme24x7mXMopdLX4J+uTEgYYkFUKwEE
 gRADu8gPtFVYcw0mVOTKN8ZmYJYCZAXb686kc0NZl5Q==
X-Received: by 2002:a02:9564:0:b0:363:7483:4444 with SMTP id
 y91-20020a029564000000b0036374834444mr1406778jah.172.1665705649460;
 Thu, 13 Oct 2022 17:00:49 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM5s3ubtzCMKfwDtDV97ETPR0kM73PtPF4QCPEv5ceK4vCqllnzZmrwxFg1zzOqMuShrEzOE4A==
X-Received: by 2002:a02:9564:0:b0:363:7483:4444 with SMTP id
 y91-20020a029564000000b0036374834444mr1406767jah.172.1665705649203;
 Thu, 13 Oct 2022 17:00:49 -0700 (PDT)
Received: from smtp.gmail.com (068-118-156-024.res.spectrum.com.
 [68.118.156.24]) by smtp.gmail.com with ESMTPSA id
 f19-20020a056638113300b003636c046e73sm497726jar.95.2022.10.13.17.00.48
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 13 Oct 2022 17:00:48 -0700 (PDT)
From: John Cabaj <john.cabaj@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Jammy][PATCH 1/1] video: fbdev: i740fb: Error out if 'pixclock'
 equals zero
Date: Thu, 13 Oct 2022 19:00:47 -0500
Message-Id: <20221014000047.176615-2-john.cabaj@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20221014000047.176615-1-john.cabaj@canonical.com>
References: <20221014000047.176615-1-john.cabaj@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Zheyu Ma <zheyuma97@gmail.com>

CVE-2022-3061

The userspace program could pass any values to the driver through
ioctl() interface. If the driver doesn't check the value of 'pixclock',
it may cause divide error.

Fix this by checking whether 'pixclock' is zero in the function
i740fb_check_var().

The following log reveals it:

divide error: 0000 [#1] PREEMPT SMP KASAN PTI
RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:444 [inline]
RIP: 0010:i740fb_set_par+0x272f/0x3bb0 drivers/video/fbdev/i740fb.c:739
Call Trace:
    fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1036
    do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1112
    fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:874 [inline]

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 15cf0b82271b1823fb02ab8c377badba614d95d5)
Signed-off-by: John Cabaj <john.cabaj@canonical.com>
---
 drivers/video/fbdev/i740fb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c
index ad5ced4ef972..8fb4e01e1943 100644
--- a/drivers/video/fbdev/i740fb.c
+++ b/drivers/video/fbdev/i740fb.c
@@ -662,6 +662,9 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var,
 
 static int i740fb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
 {
+	if (!var->pixclock)
+		return -EINVAL;
+
 	switch (var->bits_per_pixel) {
 	case 8:
 		var->red.offset	= var->green.offset = var->blue.offset = 0;