linux-toradex.git/drivers/video/fbdev/core, branch v4.4.93 Linux kernel for Apalis and Colibri modules fbdev: color map copying bounds checking 2017-02-01T07:30:52+00:00 Kees Cook keescook@chromium.org 2017-01-24T23:18:24+00:00 63db7c91a3c0ebe0e291feea53e4c63391db9465 commit 2dc705a9930b4806250fbf5a76e55266e59389f2 upstream. Copying color maps to userspace doesn't check the value of to->start, which will cause kernel heap buffer OOB read due to signedness wraps. CVE-2016-8405 Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kees Cook <keescook@chromium.org> Reported-by: Peter Pi (@heisecode) of Trend Micro Cc: Min Chong <mchong@google.com> Cc: Dan Carpenter <dan.carpenter@oracle.com> Cc: Tomi Valkeinen <tomi.valkeinen@ti.com> Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 2dc705a9930b4806250fbf5a76e55266e59389f2 upstream.

Copying color maps to userspace doesn't check the value of to->start,
which will cause kernel heap buffer OOB read due to signedness wraps.

CVE-2016-8405

Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Peter Pi (@heisecode) of Trend Micro
Cc: Min Chong <mchong@google.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fb_ddc: Allow I2C adapters without SCL read capability 2015-09-30T07:46:55+00:00 Ondrej Zary linux@rainbow-software.org 2015-09-24T22:14:13+00:00 ec90631c8a6861cdd752148fe19c20f775df47e7 i2c-algo-bit allows I2C adapters without SCL read capability to work but fb_ddc_read fails to work on them. Fix fb_ddc_read to work with I2C adapters not capable of reading SCL. Signed-off-by: Ondrej Zary <linux@rainbow-software.org> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com> 
i2c-algo-bit allows I2C adapters without SCL read capability to work
but fb_ddc_read fails to work on them.

Fix fb_ddc_read to work with I2C adapters not capable of reading SCL.

Signed-off-by: Ondrej Zary <linux@rainbow-software.org>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
fbdev: fix snprintf() limit in show_bl_curve() 2015-09-01T10:52:23+00:00 Dan Carpenter dan.carpenter@oracle.com 2015-08-24T19:54:21+00:00 b4df20474ff76b4dbab7d991de271820383995b8 The limit should be "PAGE_SIZE - len" instead of PAGE_SIZE. Also let's use scnprintf() because snprintf() returns the number of bytes which would have been printed if there were space and scnprintf() returns the number of bytes actually printed. I don't think we are ever going to actually hit this limit in real life. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com> 
The limit should be "PAGE_SIZE - len" instead of PAGE_SIZE.  Also let's
use scnprintf() because snprintf() returns the number of bytes which
would have been printed if there were space and scnprintf() returns the
number of bytes actually printed.

I don't think we are ever going to actually hit this limit in real life.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
fbdev: fix cea_modes array size 2015-08-20T07:20:11+00:00 Tomi Valkeinen tomi.valkeinen@ti.com 2015-01-15T11:47:19+00:00 6080a89357cc46f3450839a84af75c3d18f57772 CEA defines 64 modes, indexed from 1 to 64. modedb has cea_modes arrays, which contains 64 entries. However, the code uses the CEA indices directly, i.e. the first mode is at cea_modes[1]. This means the array is one too short. This does not cause references to uninitialized memory as the code in fbmon only allows indexes up to 63, and the cea_modes does not contain an entry for the mode 64 so it could not be used in any case. However, the code contains a check 'if (idx > ARRAY_SIZE(cea_modes)', and while that check is a no-op as at that point idx cannot be >= 63, it upsets static checkers. Fix this by increasing the cea_array size to be 65, and change the code to allow mode 64. Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com> Reported-by: Dan Carpenter <dan.carpenter@oracle.com> 
CEA defines 64 modes, indexed from 1 to 64. modedb has cea_modes arrays,
which contains 64 entries. However, the code uses the CEA indices
directly, i.e. the first mode is at cea_modes[1]. This means the array
is one too short.

This does not cause references to uninitialized memory as the code in
fbmon only allows indexes up to 63, and the cea_modes does not contain
an entry for the mode 64 so it could not be used in any case.

However, the code contains a check 'if (idx > ARRAY_SIZE(cea_modes)',
and while that check is a no-op as at that point idx cannot be >= 63, it
upsets static checkers.

Fix this by increasing the cea_array size to be 65, and change the code
to allow mode 64.

Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
fbdev: propagate result of fb_videomode_from_videomode() 2015-06-16T07:06:36+00:00 Vladimir Murzin vladimir.murzin@arm.com 2015-06-12T13:59:19+00:00 9f5ddefdc979d7b71aa4d3d7cc456c76fee80fda fb_videomode_from_videomode() may fail, but of_get_fb_videomode() silently covers this fact. Instead, trow the error code to the caller. Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com> 
fb_videomode_from_videomode() may fail, but of_get_fb_videomode()
silently covers this fact. Instead, trow the error code to the
caller.

Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
framebuffer: don't link fb_devio into kernel image unconditionally 2015-05-07T10:59:45+00:00 Harald Geyer harald@ccbib.org 2015-04-28T11:17:49+00:00 a7c42990f1bed8665037fd5a3848ffb02de3b553 CONFIG_FB_DEFERRED_IO is defined as bool while CONFIG_FB is defined as tristate. Currently fb_defio.o is linked into the kernel image even if CONFIG_FB=m. I fix this by updating the Makefile to link fb_defio.o into fb.o and thus go into one place with the other core framebuffer code. Signed-off-by: Harald Geyer <harald@ccbib.org> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com> 
CONFIG_FB_DEFERRED_IO is defined as bool while CONFIG_FB is defined as
tristate. Currently fb_defio.o is linked into the kernel image even if
CONFIG_FB=m.

I fix this by updating the Makefile to link fb_defio.o into fb.o and thus
go into one place with the other core framebuffer code.

Signed-off-by: Harald Geyer <harald@ccbib.org>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
fbdev: remove the unnecessary includes of ppc specific header files 2015-03-17T09:04:32+00:00 Kevin Hao haokexin@gmail.com 2015-03-12T12:32:48+00:00 45ae00a50dbea917e3f06b30ba5fb8110be2402b In the current kernel, we don't need to include these arch specific header files for ppc. Signed-off-by: Kevin Hao <haokexin@gmail.com> Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Acked-by: Tomi Valkeinen <tomi.valkeinen@ti.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 
In the current kernel, we don't need to include these arch specific
header files for ppc.

Signed-off-by: Kevin Hao <haokexin@gmail.com>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Acked-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
video: fbdev: fix possible null dereference 2015-02-26T08:23:15+00:00 Sudip Mukherjee sudipm.mukherjee@gmail.com 2015-02-12T15:47:36+00:00 d746b40c64619f5064ebbe545938062481ef5183 we were dereferencing edid first and the NULL check was after accessing that. now we are using edid only if we know that it is not NULL. Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com> 
we were dereferencing edid first and the NULL check was after
accessing that. now we are using edid only if we know that
it is not NULL.

Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
video: fbdev: fix sys_copyarea 2015-01-30T07:46:59+00:00 Mans Rullgard mans@mansr.com 2015-01-22T01:19:49+00:00 ee06bd155b081a1895f995ec2777094c7e746152 The sys_copyarea() function performs the same operation as cfb_copyarea() but using normal memory access instead of I/O accessors. Since the introduction of sys_copyarea(), there have been two fixes to cfb_copyarea(): - 00a9d699 ("framebuffer: fix cfb_copyarea") - 5b789da8 ("framebuffer: fix screen corruption when copying") This patch incorporates the fixes into sys_copyarea() as well. Signed-off-by: Mans Rullgard <mans@mansr.com> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com> 
The sys_copyarea() function performs the same operation as
cfb_copyarea() but using normal memory access instead of I/O
accessors.  Since the introduction of sys_copyarea(), there
have been two fixes to cfb_copyarea():

- 00a9d699 ("framebuffer: fix cfb_copyarea")
- 5b789da8 ("framebuffer: fix screen corruption when copying")

This patch incorporates the fixes into sys_copyarea() as well.

Signed-off-by: Mans Rullgard <mans@mansr.com>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
fbdev: fix CVT vertical front and back porch values 2015-01-27T11:35:37+00:00 Tomi Valkeinen tomi.valkeinen@ti.com 2015-01-21T07:38:16+00:00 4d073292a74b31ea00443d7778a95c209140aa42 CVT v1.1 spec says: "the vertical front porch shall in all cases be fixed to 3 lines". The code in fbcvt.c instead sets the _back_ porch to 3 (plus margin). After swapping cvt.v_front_porch and cvt.v_back_porch the resulting timings were in line with CVT timings in VESA DMT spec. The bug seems to be more than 9 years old, but I presume it has not been noticed as usually the video timings come from the EDID or from the timing tables in fbdev, and probably swapped values for vfp and vbp work fine for most of the displays. Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com> Acked-by: David Ung <davidu@nvidia.com> Cc: Antonino A. Daplas <adaplas@gmail.com> 
CVT v1.1 spec says: "the vertical front porch shall in all cases be
fixed to 3 lines". The code in fbcvt.c instead sets the _back_ porch to
3 (plus margin).

After swapping cvt.v_front_porch and cvt.v_back_porch the resulting
timings were in line with CVT timings in VESA DMT spec.

The bug seems to be more than 9 years old, but I presume it has not been
noticed as usually the video timings come from the EDID or from the
timing tables in fbdev, and probably swapped values for vfp and vbp work
fine for most of the displays.

Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Acked-by: David Ung <davidu@nvidia.com>
Cc: Antonino A. Daplas <adaplas@gmail.com>