idx1 is read from hardware and the range is [0, 30], the size of ThLowA and ThLowB is 24, so there could possibly an out of bounds access. This patch catches the OOB access and print a warning. [ 4.771691] ================================================================== [ 4.771693] BUG: KASAN: global-out-of-bounds in SiS_DoCalcDelay+0xa9/0x160 [sisfb] [ 4.771718] Read of size 1 at addr ffffffffc0048b1f by task modprobe/96 [ 4.771722] CPU: 0 PID: 96 Comm: modprobe Not tainted 5.11.0-rc7 #92 [ 4.771727] Call Trace: [ 4.771729] dump_stack+0x7d/0xa3 [ 4.771733] print_address_description.constprop.0+0x1a/0x140 [ 4.771738] ? SiS_DoCalcDelay+0xa9/0x160 [sisfb] [ 4.771760] ? SiS_DoCalcDelay+0xa9/0x160 [sisfb] [ 4.771782] kasan_report.cold+0x7f/0x10e [ 4.771786] ? SiS_DoCalcDelay+0xa9/0x160 [sisfb] [ 4.771808] SiS_DoCalcDelay+0xa9/0x160 [sisfb] [ 4.771830] ? SiS_GetFIFOThresholdIndex300+0xb0/0xb0 [sisfb] [ 4.771853] ? sisfb_probe.cold+0x3a0f/0x4f7d [sisfb] [ 4.771876] ? SiS_GetRefCRTVCLK+0x6c/0x80 [sisfb] [ 4.771900] ? SiS_GetVCLK2Ptr+0x28b/0x800 [sisfb] [ 4.771923] SiSSetMode+0x26de/0x4770 [sisfb] [ 4.771946] ? SiS_LoadDAC+0x3e0/0x3e0 [sisfb] [ 4.771968] ? ___slab_alloc+0x412/0x5d0 [ 4.771971] ? set_inverse_trans_unicode.isra.0+0x147/0x170 [ 4.771975] ? sisfb_syncaccel+0x12f/0x140 [sisfb] [ 4.771998] sisfb_set_mode.isra.0+0x264/0x12b0 [sisfb] [ 4.772020] ? kasan_module_alloc+0x5f/0xc0 [ 4.772023] sisfb_set_par+0x3b3/0x930 [sisfb] [ 4.772046] fbcon_init+0x447/0x980 [ 4.772049] ? sisfb_probe+0x1490/0x1490 [sisfb] [ 4.772071] visual_init+0x182/0x240 [ 4.772074] do_bind_con_driver+0x2db/0x460 [ 4.772078] do_take_over_console+0x205/0x280 [ 4.772082] do_fbcon_takeover+0x80/0x100 [ 4.772085] register_framebuffer+0x301/0x4c0 [ 4.772088] ? do_remove_conflicting_framebuffers+0xf0/0xf0 [ 4.772092] ? fb_copy_cmap+0x10b/0x160 [ 4.772096] sisfb_probe.cold+0x2fca/0x4f7d [sisfb] [ 4.772120] ? rpm_resume+0x1cd/0xac0 [ 4.772124] ? sisfb_check_var+0x990/0x990 [sisfb] [ 4.772146] ? pm_runtime_get_if_active+0x190/0x190 [ 4.772150] ? _raw_spin_lock_irqsave+0x7b/0xd0 [ 4.772154] ? _raw_spin_lock_irqsave+0x7b/0xd0 [ 4.772157] ? __mutex_lock_slowpath+0x10/0x10 [ 4.772161] ? sisfb_check_var+0x990/0x990 [sisfb] [ 4.772183] local_pci_probe+0x6f/0xb0 [ 4.772349] The buggy address belongs to the variable: [ 4.772350] ThLowA.47581+0x1f/0xffffffffffff9500 [sisfb] [ 4.772373] [ 4.772373] Memory state around the buggy address: [ 4.772375] ffffffffc0048a00: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 [ 4.772377] ffffffffc0048a80: 00 00 05 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 [ 4.772379] >ffffffffc0048b00: 00 00 00 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 [ 4.772380] ^ [ 4.772382] ffffffffc0048b80: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 07 f9 f9 [ 4.772384] ffffffffc0048c00: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9 [ 4.772385] ================================================================== Signed-off-by: Tong Zhang <ztong0001@xxxxxxxxx> --- drivers/video/fbdev/sis/init.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/video/fbdev/sis/init.c b/drivers/video/fbdev/sis/init.c index b568c646a76c..fb9815e7af4b 100644 --- a/drivers/video/fbdev/sis/init.c +++ b/drivers/video/fbdev/sis/init.c @@ -2249,6 +2249,10 @@ SiS_GetFIFOThresholdA300(unsigned short idx1, unsigned short idx2) 34, 3,37, 5,47, 7, 67,11 }; + if (idx1>22) { + printk(KERN_WARNING "idx1 out of bounds: %d\n", idx1); + idx1 = 22; + } return (unsigned short)((ThLowA[idx1 + 1] * idx2) + ThLowA[idx1]); } @@ -2261,6 +2265,10 @@ SiS_GetFIFOThresholdB300(unsigned short idx1, unsigned short idx2) 42, 4,45, 6,55, 8, 75,12 }; + if (idx1>22) { + printk(KERN_WARNING "idx1 out of bounds: %d\n", idx1); + idx1 = 22; + } return (unsigned short)((ThLowB[idx1 + 1] * idx2) + ThLowB[idx1]); } -- 2.25.1