<div dir="auto"><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Apr 3, 2022, 23:02 Helge Deller <<a href="mailto:deller@gmx.de">deller@gmx.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 4/3/22 13:26, Zheyu Ma wrote:<br>
> Hi,<br>
><br>
> I found a bug in the function i740fb_set_par().<br>
<br>
Nice catch!<br>
<br>
> When the user calls the ioctl system call without setting the value to<br>
> 'var->pixclock', the driver will throw a divide error.<br>
><br>
> This bug occurs because the driver uses the value of 'var->pixclock'<br>
> without checking it, as the following code snippet show:<br>
><br>
> if ((1000000 / var->pixclock) > DACSPEED8) {<br>
> dev_err(info->device, "requested pixclock %i MHz out of range<br>
> (max. %i MHz at 8bpp)\n",<br>
> 1000000 / var->pixclock, DACSPEED8);<br>
> return -EINVAL;x<br>
> }<br>
><br>
> We can fix this by checking the value of 'var->pixclock' in the<br>
> function i740fb_check_var() similar to commit<br>
> b36b242d4b8ea178f7fd038965e3cac7f30c3f09, or we should set the lowest<br>
> supported value when this field is zero.<br>
> I have no idea about which solution is better.<br>
<br>
Me neither.<br>
I think a solution like commit b36b242d4b8ea178f7fd038965e3cac7f30c3f09<br>
is sufficient.<br>
<br>
Note that i740fb_set_par() is called in i740fb_resume() as well.<br>
Since this doesn't comes form userspace I think adding a check for<br>
the return value there isn't necessary.<br>
<br>
Would you mind sending a patch like b36b242d4b8ea178f7fd038965e3cac7f30c3f09 ?<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">OK, and I also found similar bugs in other framebuffer drivers, I will send a patch set for them soon.</div><div dir="auto"><br></div><div dir="auto">Zheyu Ma</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
</blockquote></div></div></div>