The return value of hga_card_detect() is not properly handled causing the probe to succeed even though hga_card_detect() failed. Since probe succeeds, hgafb_open() can be called which will end up operating on an unmapped hga_vram. This results in an out-of-bounds access as reported by kernel test robot [1].
To fix this, correctly detect failure of hga_card_detect() by checking for a non-zero error code.
[1]: https://lore.kernel.org/lkml/20210516150019.GB25903@xsang-OptiPlex-9020/
Reported-by: kernel test robot oliver.sang@intel.com Fixes: dc13cac4862c ("video: hgafb: fix potential NULL pointer dereference") Cc: stable stable@vger.kernel.org Signed-off-by: Anirudh Rayabharam mail@anirudhrb.com --- drivers/video/fbdev/hgafb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/hgafb.c b/drivers/video/fbdev/hgafb.c index cc8e62ae93f6..bd3d07aa4f0e 100644 --- a/drivers/video/fbdev/hgafb.c +++ b/drivers/video/fbdev/hgafb.c @@ -558,7 +558,7 @@ static int hgafb_probe(struct platform_device *pdev) int ret;
ret = hga_card_detect(); - if (!ret) + if (ret) return ret;
printk(KERN_INFO "hgafb: %s with %ldK of memory detected.\n",
Hi,
On 5/16/21 4:27 PM, Anirudh Rayabharam wrote:
The return value of hga_card_detect() is not properly handled causing the probe to succeed even though hga_card_detect() failed. Since probe succeeds, hgafb_open() can be called which will end up operating on an unmapped hga_vram. This results in an out-of-bounds access as reported by kernel test robot [1].
To fix this, correctly detect failure of hga_card_detect() by checking for a non-zero error code.
Reported-by: kernel test robot oliver.sang@intel.com Fixes: dc13cac4862c ("video: hgafb: fix potential NULL pointer dereference") Cc: stable stable@vger.kernel.org Signed-off-by: Anirudh Rayabharam mail@anirudhrb.com
drivers/video/fbdev/hgafb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/hgafb.c b/drivers/video/fbdev/hgafb.c index cc8e62ae93f6..bd3d07aa4f0e 100644 --- a/drivers/video/fbdev/hgafb.c +++ b/drivers/video/fbdev/hgafb.c @@ -558,7 +558,7 @@ static int hgafb_probe(struct platform_device *pdev) int ret; ret = hga_card_detect();
- if (!ret)
- if (ret) return ret;
printk(KERN_INFO "hgafb: %s with %ldK of memory detected.\n",
In fact, this return isn't being properly handled. Thanks for fix it!
Reviewed-by: Igor Matheus Andrade Torrente igormtorrente@gmail.com
On Mon, May 17, 2021 at 12:57:14AM +0530, Anirudh Rayabharam wrote:
The return value of hga_card_detect() is not properly handled causing the probe to succeed even though hga_card_detect() failed. Since probe succeeds, hgafb_open() can be called which will end up operating on an unmapped hga_vram. This results in an out-of-bounds access as reported by kernel test robot [1].
To fix this, correctly detect failure of hga_card_detect() by checking for a non-zero error code.
Reported-by: kernel test robot oliver.sang@intel.com Fixes: dc13cac4862c ("video: hgafb: fix potential NULL pointer dereference")
Greg, this is one of the UMN fixes we did. So, do you want to take this patch into your tree?
thanks!
- Anirudh.
Cc: stable stable@vger.kernel.org Signed-off-by: Anirudh Rayabharam mail@anirudhrb.com
drivers/video/fbdev/hgafb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/hgafb.c b/drivers/video/fbdev/hgafb.c index cc8e62ae93f6..bd3d07aa4f0e 100644 --- a/drivers/video/fbdev/hgafb.c +++ b/drivers/video/fbdev/hgafb.c @@ -558,7 +558,7 @@ static int hgafb_probe(struct platform_device *pdev) int ret; ret = hga_card_detect();
- if (!ret)
- if (ret) return ret;
printk(KERN_INFO "hgafb: %s with %ldK of memory detected.\n", -- 2.26.2
On Thu, May 20, 2021 at 07:10:39PM +0530, Anirudh Rayabharam wrote:
On Mon, May 17, 2021 at 12:57:14AM +0530, Anirudh Rayabharam wrote:
The return value of hga_card_detect() is not properly handled causing the probe to succeed even though hga_card_detect() failed. Since probe succeeds, hgafb_open() can be called which will end up operating on an unmapped hga_vram. This results in an out-of-bounds access as reported by kernel test robot [1].
To fix this, correctly detect failure of hga_card_detect() by checking for a non-zero error code.
Reported-by: kernel test robot oliver.sang@intel.com Fixes: dc13cac4862c ("video: hgafb: fix potential NULL pointer dereference")
Greg, this is one of the UMN fixes we did. So, do you want to take this patch into your tree?
Yes, will queue it up in a few days after Linus takes the current pull request I sent him for this.
thanks,
greg k-h
linux-stable-mirror@lists.linaro.org
-
Anirudh Rayabharam -
Greg Kroah-Hartman -
Igor Torrente