| Message ID | 20250327100126.12585-2-arefev@swemel.ru (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | fbdev: atyfb: Fix buffer overflow | expand |
On Thu, 27 Mar 2025, Denis Arefev <arefev@swemel.ru> wrote: > The value LCD_MISC_CNTL is used in the 'aty_st_lcd()' function to > calculate an index for accessing an array element of size 9. > This may cause a buffer overflow. The fix is to fix it, not silently brush it under the carpet. BR, Jani. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Denis Arefev <arefev@swemel.ru> > --- > drivers/video/fbdev/aty/atyfb_base.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c > index 210fd3ac18a4..93eb5eb6042b 100644 > --- a/drivers/video/fbdev/aty/atyfb_base.c > +++ b/drivers/video/fbdev/aty/atyfb_base.c > @@ -149,6 +149,8 @@ static const u32 lt_lcd_regs[] = { > void aty_st_lcd(int index, u32 val, const struct atyfb_par *par) > { > if (M64_HAS(LT_LCD_REGS)) { > + if ((u32)index >= ARRAY_SIZE(lt_lcd_regs)) > + return; > aty_st_le32(lt_lcd_regs[index], val, par); > } else { > unsigned long temp; > @@ -164,6 +166,8 @@ void aty_st_lcd(int index, u32 val, const struct atyfb_par *par) > u32 aty_ld_lcd(int index, const struct atyfb_par *par) > { > if (M64_HAS(LT_LCD_REGS)) { > + if ((u32)index >= ARRAY_SIZE(lt_lcd_regs)) > + return 0; > return aty_ld_le32(lt_lcd_regs[index], par); > } else { > unsigned long temp;
diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c index 210fd3ac18a4..93eb5eb6042b 100644 --- a/drivers/video/fbdev/aty/atyfb_base.c +++ b/drivers/video/fbdev/aty/atyfb_base.c @@ -149,6 +149,8 @@ static const u32 lt_lcd_regs[] = { void aty_st_lcd(int index, u32 val, const struct atyfb_par *par) { if (M64_HAS(LT_LCD_REGS)) { + if ((u32)index >= ARRAY_SIZE(lt_lcd_regs)) + return; aty_st_le32(lt_lcd_regs[index], val, par); } else { unsigned long temp; @@ -164,6 +166,8 @@ void aty_st_lcd(int index, u32 val, const struct atyfb_par *par) u32 aty_ld_lcd(int index, const struct atyfb_par *par) { if (M64_HAS(LT_LCD_REGS)) { + if ((u32)index >= ARRAY_SIZE(lt_lcd_regs)) + return 0; return aty_ld_le32(lt_lcd_regs[index], par); } else { unsigned long temp;
The value LCD_MISC_CNTL is used in the 'aty_st_lcd()' function to calculate an index for accessing an array element of size 9. This may cause a buffer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Denis Arefev <arefev@swemel.ru> --- drivers/video/fbdev/aty/atyfb_base.c | 4 ++++ 1 file changed, 4 insertions(+)