[PATCH] video: fbdev: sis: catch out of bounds in SiS_DoCalcDelay

From: Tong Zhang
Date: Sun Feb 28 2021 - 00:39:17 EST


idx1 is read from hardware and the range is [0, 30],
the size of ThLowA and ThLowB is 24, so there could possibly an out of
bounds access. This patch catches the OOB access and print a warning.

[ 4.771691] ==================================================================
[ 4.771693] BUG: KASAN: global-out-of-bounds in SiS_DoCalcDelay+0xa9/0x160 [sisfb]
[ 4.771718] Read of size 1 at addr ffffffffc0048b1f by task modprobe/96
[ 4.771722] CPU: 0 PID: 96 Comm: modprobe Not tainted 5.11.0-rc7 #92
[ 4.771727] Call Trace:
[ 4.771729] dump_stack+0x7d/0xa3
[ 4.771733] print_address_description.constprop.0+0x1a/0x140
[ 4.771738] ? SiS_DoCalcDelay+0xa9/0x160 [sisfb]
[ 4.771760] ? SiS_DoCalcDelay+0xa9/0x160 [sisfb]
[ 4.771782] kasan_report.cold+0x7f/0x10e
[ 4.771786] ? SiS_DoCalcDelay+0xa9/0x160 [sisfb]
[ 4.771808] SiS_DoCalcDelay+0xa9/0x160 [sisfb]
[ 4.771830] ? SiS_GetFIFOThresholdIndex300+0xb0/0xb0 [sisfb]
[ 4.771853] ? sisfb_probe.cold+0x3a0f/0x4f7d [sisfb]
[ 4.771876] ? SiS_GetRefCRTVCLK+0x6c/0x80 [sisfb]
[ 4.771900] ? SiS_GetVCLK2Ptr+0x28b/0x800 [sisfb]
[ 4.771923] SiSSetMode+0x26de/0x4770 [sisfb]
[ 4.771946] ? SiS_LoadDAC+0x3e0/0x3e0 [sisfb]
[ 4.771968] ? ___slab_alloc+0x412/0x5d0
[ 4.771971] ? set_inverse_trans_unicode.isra.0+0x147/0x170
[ 4.771975] ? sisfb_syncaccel+0x12f/0x140 [sisfb]
[ 4.771998] sisfb_set_mode.isra.0+0x264/0x12b0 [sisfb]
[ 4.772020] ? kasan_module_alloc+0x5f/0xc0
[ 4.772023] sisfb_set_par+0x3b3/0x930 [sisfb]
[ 4.772046] fbcon_init+0x447/0x980
[ 4.772049] ? sisfb_probe+0x1490/0x1490 [sisfb]
[ 4.772071] visual_init+0x182/0x240
[ 4.772074] do_bind_con_driver+0x2db/0x460
[ 4.772078] do_take_over_console+0x205/0x280
[ 4.772082] do_fbcon_takeover+0x80/0x100
[ 4.772085] register_framebuffer+0x301/0x4c0
[ 4.772088] ? do_remove_conflicting_framebuffers+0xf0/0xf0
[ 4.772092] ? fb_copy_cmap+0x10b/0x160
[ 4.772096] sisfb_probe.cold+0x2fca/0x4f7d [sisfb]
[ 4.772120] ? rpm_resume+0x1cd/0xac0
[ 4.772124] ? sisfb_check_var+0x990/0x990 [sisfb]
[ 4.772146] ? pm_runtime_get_if_active+0x190/0x190
[ 4.772150] ? _raw_spin_lock_irqsave+0x7b/0xd0
[ 4.772154] ? _raw_spin_lock_irqsave+0x7b/0xd0
[ 4.772157] ? __mutex_lock_slowpath+0x10/0x10
[ 4.772161] ? sisfb_check_var+0x990/0x990 [sisfb]
[ 4.772183] local_pci_probe+0x6f/0xb0
[ 4.772349] The buggy address belongs to the variable:
[ 4.772350] ThLowA.47581+0x1f/0xffffffffffff9500 [sisfb]
[ 4.772373]
[ 4.772373] Memory state around the buggy address:
[ 4.772375] ffffffffc0048a00: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
[ 4.772377] ffffffffc0048a80: 00 00 05 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
[ 4.772379] >ffffffffc0048b00: 00 00 00 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
[ 4.772380] ^
[ 4.772382] ffffffffc0048b80: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 07 f9 f9
[ 4.772384] ffffffffc0048c00: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9
[ 4.772385] ==================================================================

Signed-off-by: Tong Zhang <ztong0001@xxxxxxxxx>
---
drivers/video/fbdev/sis/init.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/drivers/video/fbdev/sis/init.c b/drivers/video/fbdev/sis/init.c
index b568c646a76c..fb9815e7af4b 100644
--- a/drivers/video/fbdev/sis/init.c
+++ b/drivers/video/fbdev/sis/init.c
@@ -2249,6 +2249,10 @@ SiS_GetFIFOThresholdA300(unsigned short idx1, unsigned short idx2)
34, 3,37, 5,47, 7, 67,11
};

+ if (idx1>22) {
+ printk(KERN_WARNING "idx1 out of bounds: %d\n", idx1);
+ idx1 = 22;
+ }
return (unsigned short)((ThLowA[idx1 + 1] * idx2) + ThLowA[idx1]);
}

@@ -2261,6 +2265,10 @@ SiS_GetFIFOThresholdB300(unsigned short idx1, unsigned short idx2)
42, 4,45, 6,55, 8, 75,12
};

+ if (idx1>22) {
+ printk(KERN_WARNING "idx1 out of bounds: %d\n", idx1);
+ idx1 = 22;
+ }
return (unsigned short)((ThLowB[idx1 + 1] * idx2) + ThLowB[idx1]);
}

--
2.25.1