From: Yizhuo Zhai > Sent: 01 February 2022 02:36 > > In function do_fb_ioctl(), the "arg" is the type of unsigned long, > and in "case FBIOBLANK:" this argument is casted into an int before > passig to fb_blank(). In fb_blank(), the comparision > if (blank > FB_BLANK_POWERDOWN) would be bypass if the original > "arg" is a large number, which is possible because it comes from > the user input. Fix this by adding the check before the function > call. Doesn't this convert invalid values (> FB_BLANK_POWERDOWN) that should generate errors into valid requests? David > > Signed-off-by: Yizhuo Zhai <yzhai003@xxxxxxx> > --- > drivers/video/fbdev/core/fbmem.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c > index 0fa7ede94fa6..f08326efff54 100644 > --- a/drivers/video/fbdev/core/fbmem.c > +++ b/drivers/video/fbdev/core/fbmem.c > @@ -1162,6 +1162,8 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, > case FBIOBLANK: > console_lock(); > lock_fb_info(info); > + if (blank > FB_BLANK_POWERDOWN) > + blank = FB_BLANK_POWERDOWN; > ret = fb_blank(info, arg); > /* might again call into fb_blank */ > fbcon_fb_blanked(info, arg); > -- > 2.25.1 - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
