The patch titled
fb: fix fb_pan_display range check
has been added to the -mm tree. Its filename is
fb-fix-fb_pan_display-range-check.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find
out what to do about this
The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
------------------------------------------------------
Subject: fb: fix fb_pan_display range check
From: Florian Tobias Schandinat <FlorianSchandinat@xxxxxx>
Fix the range check for panning. The current code fails to detect some
invalid values (very high ones that can occur if an app tries to move
further up/left than 0,0) as the check uses the unknown values for
calculation so that an overflow can occur.
To fix this it is sufficient to move the calculation to the right side to
use only trusted values.
Kai Jiang detected this problem and proposed an initial patch.
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@xxxxxx>
Cc: Kai Jiang <b18973@xxxxxxxxxxxxx>
Cc: Krzysztof Helt <krzysztof.h1@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
drivers/video/fbmem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff -puN drivers/video/fbmem.c~fb-fix-fb_pan_display-range-check drivers/video/fbmem.c
--- a/drivers/video/fbmem.c~fb-fix-fb_pan_display-range-check
+++ a/drivers/video/fbmem.c
@@ -871,8 +871,8 @@ fb_pan_display(struct fb_info *info, str
err = -EINVAL;
if (err || !info->fbops->fb_pan_display ||
- var->yoffset + yres > info->var.yres_virtual ||
- var->xoffset + info->var.xres > info->var.xres_virtual)
+ var->yoffset > info->var.yres_virtual - yres ||
+ var->xoffset > info->var.xres_virtual - info->var.xres)
return -EINVAL;
if ((err = info->fbops->fb_pan_display(var, info)))
_
Patches currently in -mm which might be from FlorianSchandinat@xxxxxx are
viafb-fix-rmmod-bug.patch
viafb-remove-duplicated-cx700-register-init.patch
viafb-remove-temporary-start-address-setting.patch
fb-fix-fb_pan_display-range-check.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
