From: Yizhuo Zhai
Sent: 01 February 2022 02:36
In function do_fb_ioctl(), the "arg" is the type of unsigned long, and in "case FBIOBLANK:" this argument is casted into an int before passig to fb_blank(). In fb_blank(), the comparision if (blank > FB_BLANK_POWERDOWN) would be bypass if the original "arg" is a large number, which is possible because it comes from the user input. Fix this by adding the check before the function call.
Doesn't this convert invalid values (> FB_BLANK_POWERDOWN) that should generate errors into valid requests?
David
Signed-off-by: Yizhuo Zhai yzhai003@ucr.edu
drivers/video/fbdev/core/fbmem.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 0fa7ede94fa6..f08326efff54 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1162,6 +1162,8 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, case FBIOBLANK: console_lock(); lock_fb_info(info);
if (blank > FB_BLANK_POWERDOWN)blank = FB_BLANK_POWERDOWN;-- 2.25.1
- Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)