superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers/video/fbdev
History
Murad Masimov 05f6e18387 fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var 
If fb_add_videomode() in fb_set_var() fails to allocate memory for
fb_videomode, later it may lead to a null-ptr dereference in
fb_videomode_to_var(), as the fb_info is registered while not having the
mode in modelist that is expected to be there, i.e. the one that is
described in fb_info->var.

================================================================
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901
Call Trace:
 display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929
 fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071
 resize_screen drivers/tty/vt/vt.c:1176 [inline]
 vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263
 fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720
 fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776
 do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128
 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x67/0xd1
================================================================

The reason is that fb_info->var is being modified in fb_set_var(), and
then fb_videomode_to_var() is called. If it fails to add the mode to
fb_info->modelist, fb_set_var() returns error, but does not restore the
old value of fb_info->var. Restore fb_info->var on failure the same way
it is done earlier in the function.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Signed-off-by: Helge Deller <deller@gmx.de>
 		2025-05-31 10:24:02 +02:00
..
aty treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
core fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var 2025-05-31 10:24:02 +02:00
geode x86/msr: Add explicit includes of <asm/msr.h> 2025-05-02 10:23:47 +02:00
i810
kyro fbdev: kyro: add missing MODULE_DESCRIPTION() macro 2024-06-13 23:10:41 +02:00
matrox move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
mb862xx fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
mmp video: fbdev: mmp: switch to use spi_alloc_host() 2024-09-30 01:12:06 +02:00
nvidia fbdev: nvidiafb: Correct const string length in nvidiafb_setup() 2025-05-31 10:24:01 +02:00
omap treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
omap2 treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
riva fbdev: rivafb: Use backlight power constants 2024-09-30 16:35:40 +02:00
savage fbdev: savage: Handle err return when savagefb_check_var failed 2024-04-25 12:04:18 +02:00
sis fbdev: sisfb: Fix strbuf array overflow 2024-09-28 00:42:11 +02:00
via fbdev: via: use new GPIO line value setter callbacks 2025-05-31 10:24:01 +02:00
68328fb.c
Kconfig fbdev: Fix recursive dependencies wrt BACKLIGHT_CLASS_DEVICE 2024-12-17 18:06:10 +01:00
Makefile fbdev: da8xx: remove the driver 2024-10-15 10:08:23 +02:00
acornfb.c
acornfb.h
amifb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
arcfb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
arkfb.c fbdev: arkfb: Cast ics5342_init() allocation type 2025-05-31 10:24:02 +02:00
asiliantfb.c
atafb.c
atafb.h
atafb_iplan2p2.c
atafb_iplan2p4.c
atafb_iplan2p8.c
atafb_mfb.c
atafb_utils.h
atmel_lcdfb.c Backmerge v6.12-rc6 of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux into drm-next 2024-11-04 14:25:33 +10:00
au1100fb.c fbdev: au1100fb: Move a variable assignment behind a null pointer check 2025-03-26 22:39:20 +01:00
au1100fb.h
au1200fb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
au1200fb.h
broadsheetfb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
bt431.h
bt455.h
bw2.c fbdev: Constify struct sbus_mmap_map 2024-10-15 10:07:32 +02:00
c2p.h
c2p_core.h
c2p_iplan2.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
c2p_planar.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
carminefb.c fbdev: carminefb: Fix spelling mistake of CARMINE_TOTAL_DIPLAY_MEM 2025-05-31 10:24:01 +02:00
carminefb.h fbdev: carminefb: Fix spelling mistake of CARMINE_TOTAL_DIPLAY_MEM 2025-05-31 10:24:01 +02:00
carminefb_regs.h
cg3.c fbdev: Constify struct sbus_mmap_map 2024-10-15 10:07:32 +02:00
cg6.c fbdev: Constify struct sbus_mmap_map 2024-10-15 10:07:32 +02:00
cg14.c fbdev: Constify struct sbus_mmap_map 2024-10-15 10:07:32 +02:00
chipsfb.c fbdev: chipsfb: Use backlight power constants 2024-09-30 16:35:28 +02:00
cirrusfb.c
clps711x-fb.c - Improved handling of LCD power states and interactions with the fbdev subsystem. 2024-11-22 16:29:57 -08:00
cobalt_lcdfb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
controlfb.c
controlfb.h
cyber2000fb.c This cycle, I2C removes the currently unused CLASS_DDC support 2024-01-18 17:29:01 -08:00
cyber2000fb.h
dnfb.c
edid.h
efifb.c fbdev: efifb: Change the return value type to void 2025-01-09 00:29:42 +01:00
ep93xx-fb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
ffb.c fbdev: Constify struct sbus_mmap_map 2024-10-15 10:07:32 +02:00
fm2fb.c
fsl-diu-fb.c fbdev: fsl-diu-fb: add missing device_remove_file() 2025-03-26 22:39:21 +01:00
g364fb.c
gbefb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
goldfishfb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
grvga.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
gxt4500.c
hecubafb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
hgafb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
hitfb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
hpfb.c fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() 2024-08-30 18:42:38 +02:00
hyperv_fb.c fbdev: hyperv_fb: Allow graceful removal of framebuffer 2025-03-09 23:56:29 +00:00
i740_reg.h
i740fb.c fbdev: remove I2C_CLASS_DDC support 2024-01-18 21:10:41 +01:00
imsttfb.c fbdev: imsttfb: convert comma to semicolon 2024-09-02 13:54:26 +02:00
imxfb.c - Improved handling of LCD power states and interactions with the fbdev subsystem. 2024-11-22 16:29:57 -08:00
leo.c fbdev: Constify struct sbus_mmap_map 2024-10-15 10:07:32 +02:00
macfb.c
macmodes.c fbdev: macmodes: add missing MODULE_DESCRIPTION() macro 2024-06-13 23:10:41 +02:00
macmodes.h
maxinefb.c
metronomefb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
n411.c
neofb.c
ocfb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
offb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
p9100.c fbdev: Constify struct sbus_mmap_map 2024-10-15 10:07:32 +02:00
platinumfb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
platinumfb.h
pm2fb.c
pm3fb.c
pmag-aa-fb.c
pmag-ba-fb.c
pmagb-b-fb.c
ps3fb.c
pvr2fb.c
pxa3xx-gcu.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
pxa3xx-gcu.h
pxa3xx-regs.h
pxa168fb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
pxa168fb.h
pxafb.c fbdev: pxafb: use devm_kmemdup*() 2025-03-26 22:39:20 +01:00
pxafb.h
q40fb.c
s1d13xxxfb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
s3c-fb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
s3fb.c fbcon: Increase maximum font width x height to 64 x 128 2024-03-16 08:29:48 +01:00
sa1100fb.c
sa1100fb.h
sbuslib.c fbdev: Constify struct sbus_mmap_map 2024-10-15 10:07:32 +02:00
sbuslib.h fbdev: Constify struct sbus_mmap_map 2024-10-15 10:07:32 +02:00
sh7760fb.c fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem() 2024-11-14 15:26:27 +01:00
sh_mobile_lcdcfb.c fbdev: lcdcfb: Register sysfs groups through driver core 2025-03-26 22:39:20 +01:00
sh_mobile_lcdcfb.h
simplefb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
skeletonfb.c
sm501fb.c fbdev: sm501fb: Add some geometry checks. 2025-03-26 22:39:21 +01:00
sm712.h
sm712fb.c
smscufx.c fbdev: smscufx: Make I2C terminology more inclusive 2024-07-11 12:07:48 +02:00
ssd1307fb.c fbdev: Drop explicit initialization of struct i2c_device_id::driver_data to 0 2024-06-24 15:57:42 +02:00
sstfb.c fbdev: sstfb: Make CONFIG_FB_DEVICE optional 2024-10-15 10:07:31 +02:00
stifb.c fbdev: stifb: Fix crash in stifb_blank() 2024-01-23 09:13:24 +01:00
sunxvr500.c
sunxvr1000.c
sunxvr2500.c
tcx.c fbdev: Constify struct sbus_mmap_map 2024-10-15 10:07:32 +02:00
tdfxfb.c fbdev: remove I2C_CLASS_DDC support 2024-01-18 21:10:41 +01:00
tgafb.c vt: remove superfluous CONFIG_HW_CONSOLE 2024-01-27 19:03:51 -08:00
tridentfb.c fbdev: remove I2C_CLASS_DDC support 2024-01-18 21:10:41 +01:00
udlfb.c fbdev: udlfb: Use const 'struct bin_attribute' callback 2024-12-22 07:03:42 +01:00
uvesafb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
valkyriefb.c
valkyriefb.h
vesafb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
vfb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
vga16fb.c fbdev: vga16fb: fix orig_video_isVGA confusion 2025-01-19 22:33:52 +01:00
vt8500lcdfb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
vt8500lcdfb.h
vt8623fb.c fbcon: Increase maximum font width x height to 64 x 128 2024-03-16 08:29:48 +01:00
wm8505fb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
wm8505fb_regs.h
wmt_ge_rops.c fbdev: wmt_ge_rops: Remove fb_draw.h includes 2025-03-26 22:39:21 +01:00
wmt_ge_rops.h
xen-fbfront.c fbdev: xen-fbfront: Assign fb_info->device 2024-09-11 07:58:18 +02:00
xilinxfb.c fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00