On Thu, Feb 03, 2022 at 09:18:30AM +0100, Helge Deller wrote:
On 2/3/22 07:39, Sam Ravnborg wrote:
Hi Daniel,
I assume you will take this.
Patch is: Reviewed-by: Sam Ravnborg sam@ravnborg.org
Acked-by: Helge Deller deller@gmx.de
Pushed to drm-misc-fixes, thanks for patch&review. -Daniel
Helge
Sam
On Wed, Feb 02, 2022 at 03:58:08PM -0800, Yizhuo Zhai wrote:
In function do_fb_ioctl(), the "arg" is the type of unsigned long, and in "case FBIOBLANK:" this argument is casted into an int before passig to fb_blank(). In fb_blank(), the comparision if (blank > FB_BLANK_POWERDOWN) would be bypass if the original "arg" is a large number, which is possible because it comes from the user input. Fix this by adding the check before the function call.
Signed-off-by: Yizhuo Zhai yzhai003@ucr.edu
drivers/video/fbdev/core/fbmem.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 0fa7ede94fa6..13083ad8d751 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1160,6 +1160,8 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, ret = fbcon_set_con2fb_map_ioctl(argp); break; case FBIOBLANK:
if (arg > FB_BLANK_POWERDOWN)return -EINVAL;-- 2.25.1