[0/1] fbdev: atyfb: Fix buffer overflow

Message ID	20250327100126.12585-1-arefev@swemel.ru
Headers	show Received: from mx.swemel.ru (mx.swemel.ru [95.143.211.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B828520D4F0; Thu, 27 Mar 2025 10:01:30 +0000 (UTC) From: Denis Arefev <arefev@swemel.ru> To: Helge Deller <deller@gmx.de> Cc: Thomas Zimmermann <tzimmermann@suse.de>, Jani Nikula <jani.nikula@intel.com>, linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH 0/1] fbdev: atyfb: Fix buffer overflow Date: Thu, 27 Mar 2025 13:01:23 +0300 Message-ID: <20250327100126.12585-1-arefev@swemel.ru> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	fbdev: atyfb: Fix buffer overflow \| expand [0/1] fbdev: atyfb: Fix buffer overflow [1/1] fbdev: atyfb: Fix buffer overflow

Message ID

20250327100126.12585-1-arefev@swemel.ru

Headers

From: Denis Arefev <arefev@swemel.ru>
To: Helge Deller <deller@gmx.de>
Cc: Thomas Zimmermann <tzimmermann@suse.de>,
	Jani Nikula <jani.nikula@intel.com>,
	linux-fbdev@vger.kernel.org,
	dri-devel@lists.freedesktop.org,
	linux-kernel@vger.kernel.org,
	lvc-project@linuxtesting.org
Subject: [PATCH 0/1] fbdev: atyfb: Fix buffer overflow
Date: Thu, 27 Mar 2025 13:01:23 +0300
Message-ID: <20250327100126.12585-1-arefev@swemel.ru>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

fbdev: atyfb: Fix buffer overflow | expand

Message

Denis Arefev March 27, 2025, 10:01 a.m. UTC

The fixes I suggested are not the only ones.
There are more options for solving this problem.

1.Find datasheet for the chip, find out the register offset, calculate
   the address using the formula (4*Dword offset), add this value to
   the array lt_lcd_regs[] at index LCD_MISC_CNTL.

2. Delete this code completely, as the chip is very obsolete and 
   not applicable.

Found by Linux Verification Center (linuxtesting.org) with SVACE.  

Denis Arefev (1):
  fbdev: atyfb: Fix buffer overflow

 drivers/video/fbdev/aty/atyfb_base.c | 4 ++++
 1 file changed, 4 insertions(+)

base-commit: 1a9239bb4253f9076b5b4b2a1a4e8d7defd77a95

Comments

Jani Nikula March 27, 2025, 10:14 a.m. UTC | #1

On Thu, 27 Mar 2025, Denis Arefev <arefev@swemel.ru> wrote:
> The value LCD_MISC_CNTL is used in the 'aty_st_lcd()' function to
> calculate an index for accessing an array element of size 9.
> This may cause a buffer overflow.

The fix is to fix it, not silently brush it under the carpet.

BR,
Jani.

>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Denis Arefev <arefev@swemel.ru>
> ---
>  drivers/video/fbdev/aty/atyfb_base.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
> index 210fd3ac18a4..93eb5eb6042b 100644
> --- a/drivers/video/fbdev/aty/atyfb_base.c
> +++ b/drivers/video/fbdev/aty/atyfb_base.c
> @@ -149,6 +149,8 @@ static const u32 lt_lcd_regs[] = {
>  void aty_st_lcd(int index, u32 val, const struct atyfb_par *par)
>  {
>  	if (M64_HAS(LT_LCD_REGS)) {
> +		if ((u32)index >= ARRAY_SIZE(lt_lcd_regs))
> +			return;
>  		aty_st_le32(lt_lcd_regs[index], val, par);
>  	} else {
>  		unsigned long temp;
> @@ -164,6 +166,8 @@ void aty_st_lcd(int index, u32 val, const struct atyfb_par *par)
>  u32 aty_ld_lcd(int index, const struct atyfb_par *par)
>  {
>  	if (M64_HAS(LT_LCD_REGS)) {
> +		if ((u32)index >= ARRAY_SIZE(lt_lcd_regs))
> +			return 0;
>  		return aty_ld_le32(lt_lcd_regs[index], par);
>  	} else {
>  		unsigned long temp;