[BUG] fbdev: sm712fb: Page fault in smtcfb_write()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I found a minor in the smtcfb_write() function of the driver sm712fb.
This write function can not handle the case that the size of the
buffer is 3 and does not check for it, which may cause a page fault.

Here is a simple PoC:

#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

int main(void)
{
    int fd = open("/dev/fb0", O_RDWR);
    write(fd, "000", 3);

    return 0;
}

The following log reveals it:

[ 1830.917859] BUG: unable to handle page fault for address: ffffc90001ffffff
[ 1830.918481] #PF: supervisor write access in kernel mode
[ 1830.919005] #PF: error_code(0x0002) - not-present page
[ 1830.921941] RIP: 0010:smtcfb_write+0x2c0/0x460
[ 1830.930156] Call Trace:
[ 1830.930364]  <TASK>
[ 1830.930543]  vfs_write+0x291/0xd60
[ 1830.930835]  ? do_sys_openat2+0x27d/0x350
[ 1830.931192]  ? __fget_light+0x54/0x340
[ 1830.931504]  ksys_write+0xce/0x190
[ 1830.931784]  do_syscall_64+0x43/0x90

Regards,
Zheyu Ma
[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux