Message ID | 20220202233402.1477864-1-yzhai003@ucr.edu (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | [v5] fbdev: fbmem: Fix the implicit type casting | expand |
On 2/2/22 15:33, Yizhuo Zhai wrote: > In function do_fb_ioctl(), the "arg" is the type of unsigned long, > and in "case FBIOBLANK:" this argument is casted into an int before > passig to fb_blank(). In fb_blank(), the comparision > if (blank > FB_BLANK_POWERDOWN) would be bypass if the original > "arg" is a large number, which is possible because it comes from > the user input. Fix this by adding the check before the function > call. > > Signed-off-by: Yizhuo Zhai <yzhai003@ucr.edu> > --- > drivers/video/fbdev/core/fbmem.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c > index 0fa7ede94fa6..d5dec24c4d16 100644 > --- a/drivers/video/fbdev/core/fbmem.c > +++ b/drivers/video/fbdev/core/fbmem.c > @@ -1162,6 +1162,11 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, > case FBIOBLANK: > console_lock(); > lock_fb_info(info); > + if (arg > FB_BLANK_POWERDOWN) { > + unlock_fb_info(info); > + console_unlock(); > + return -EINVAL; > + } Is it really necessary to perform this check within the lock ? arg is a passed in value, and FB_BLANK_POWERDOWN. It seems to me that case FBIOBLANK: if (arg > FB_BLANK_POWERDOWN) return -EINVAL; console_lock(); ... should be sufficient. Sorry if I missed some previous discussion; this is the first time I looked at this patch. Guenter
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 0fa7ede94fa6..d5dec24c4d16 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1162,6 +1162,11 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, case FBIOBLANK: console_lock(); lock_fb_info(info); + if (arg > FB_BLANK_POWERDOWN) { + unlock_fb_info(info); + console_unlock(); + return -EINVAL; + } ret = fb_blank(info, arg); /* might again call into fb_blank */ fbcon_fb_blanked(info, arg);
In function do_fb_ioctl(), the "arg" is the type of unsigned long, and in "case FBIOBLANK:" this argument is casted into an int before passig to fb_blank(). In fb_blank(), the comparision if (blank > FB_BLANK_POWERDOWN) would be bypass if the original "arg" is a large number, which is possible because it comes from the user input. Fix this by adding the check before the function call. Signed-off-by: Yizhuo Zhai <yzhai003@ucr.edu> --- drivers/video/fbdev/core/fbmem.c | 5 +++++ 1 file changed, 5 insertions(+)