On 8/3/22 11:23, Zheyu Ma wrote: > Since the user can control the arguments of the ioctl() from the user > space, under special arguments that may result in a divide-by-zero bug > in: > drivers/video/fbdev/arkfb.c:784: ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul); > with hdiv=1, pixclock=1 and hmul=2 you end up with (1*1)/2 = (int) 0. > and then in: > drivers/video/fbdev/arkfb.c:504: rv = dac_set_freq(par->dac, 0, 1000000000 / pixclock); > we'll get a division-by-zero. > > The following log can reveal it: > > divide error: 0000 [#1] PREEMPT SMP KASAN PTI > RIP: 0010:ark_set_pixclock drivers/video/fbdev/arkfb.c:504 [inline] > RIP: 0010:arkfb_set_par+0x10fc/0x24c0 drivers/video/fbdev/arkfb.c:784 > Call Trace: > fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 > do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 > fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189 > > Fix this by checking the argument of ark_set_pixclock() first. > > Fixes: 681e14730c73 ("arkfb: new framebuffer driver for ARK Logic cards") > Signed-off-by: Zheyu Ma <zheyuma97@xxxxxxxxx> applied to fbdev git tree. Thanks! Helge > --- > drivers/video/fbdev/arkfb.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/drivers/video/fbdev/arkfb.c b/drivers/video/fbdev/arkfb.c > index eb3e47c58c5f..ed76ddc7df3d 100644 > --- a/drivers/video/fbdev/arkfb.c > +++ b/drivers/video/fbdev/arkfb.c > @@ -781,7 +781,12 @@ static int arkfb_set_par(struct fb_info *info) > return -EINVAL; > } > > - ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul); > + value = (hdiv * info->var.pixclock) / hmul; > + if (!value) { > + fb_dbg(info, "invalid pixclock\n"); > + value = 1; > + } > + ark_set_pixclock(info, value); > svga_set_timings(par->state.vgabase, &ark_timing_regs, &(info->var), hmul, hdiv, > (info->var.vmode & FB_VMODE_DOUBLE) ? 2 : 1, > (info->var.vmode & FB_VMODE_INTERLACED) ? 2 : 1,