fbmem: don't allow too huge resolutions

author Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>

Wed, 8 Sep 2021 10:27:49 +0000 (19:27 +0900)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Wed, 22 Sep 2021 09:41:22 +0000 (11:41 +0200)
author Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Wed, 8 Sep 2021 10:27:49 +0000 (19:27 +0900)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 22 Sep 2021 09:41:22 +0000 (11:41 +0200)
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c

index afb84c27110d8293b4e4fe8a602505c901871316..e3c692294adce05303e5dad4b12519adb1c6b4b5 100644 (file)
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -32,6 +32,7 @@
  #include <linux/device.h>
  #include <linux/efi.h>
  #include <linux/fb.h>
+#include <linux/overflow.h>
  
  #include <asm/fb.h>
  
@@ -981,6 +982,7 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var)
         if ((var->activate & FB_ACTIVATE_FORCE) ||
             memcmp(&info->var, var, sizeof(struct fb_var_screeninfo))) {
                 u32 activate = var->activate;
+               u32 unused;
  
                 /* When using FOURCC mode, make sure the red, green, blue and
                  * transp fields are set to 0.
@@ -1005,6 +1007,11 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var)
                 if (var->xres < 8 || var->yres < 8)
                         return -EINVAL;
  
+               /* Too huge resolution causes multiplication overflow. */
+               if (check_mul_overflow(var->xres, var->yres, &unused) ||
+                   check_mul_overflow(var->xres_virtual, var->yres_virtual, &unused))
+                       return -EINVAL;
+
                 ret = info->fbops->fb_check_var(var, info);
  
                 if (ret)
author	Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
	Wed, 8 Sep 2021 10:27:49 +0000 (19:27 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 22 Sep 2021 09:41:22 +0000 (11:41 +0200)