On 4/3/22 13:26, Zheyu Ma wrote:
> Hi,
>
> I found a bug in the function i740fb_set_par().
Nice catch!
> When the user calls the ioctl system call without setting the value to
> 'var->pixclock', the driver will throw a divide error.
>
> This bug occurs because the driver uses the value of 'var->pixclock'
> without checking it, as the following code snippet show:
>
> if ((1000000 / var->pixclock) > DACSPEED8) {
> dev_err(info->device, "requested pixclock %i MHz out of range
> (max. %i MHz at 8bpp)\n",
> 1000000 / var->pixclock, DACSPEED8);
> return -EINVAL;x
> }
>
> We can fix this by checking the value of 'var->pixclock' in the
> function i740fb_check_var() similar to commit
> b36b242d4b8ea178f7fd038965e3cac7f30c3f09, or we should set the lowest
> supported value when this field is zero.
> I have no idea about which solution is better.
Me neither.
I think a solution like commit b36b242d4b8ea178f7fd038965e3cac7f30c3f09
is sufficient.
Note that i740fb_set_par() is called in i740fb_resume() as well.
Since this doesn't comes form userspace I think adding a check for
the return value there isn't necessary.
Would you mind sending a patch like b36b242d4b8ea178f7fd038965e3cac7f30c3f09 ?
Helge
> The following log reveals it:
>
> divide error: 0000 [#1] PREEMPT SMP KASAN PTI
> RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:444 [inline]
> RIP: 0010:i740fb_set_par+0x272f/0x3bb0 drivers/video/fbdev/i740fb.c:739
> Call Trace:
> <TASK>
> fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1036
> do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1112
> fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:874 [inline]
>
> Regards,
> Zheyu Ma
