From 41e55ea4f9ed7c7ea78f35446ced03cdc2bb82da Mon Sep 17 00:00:00 2001 From: Sergey Shtylyov Date: Tue, 15 Jul 2025 08:12:47 +0000 Subject: [PATCH] fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() mainline inclusion from mainline-v6.16-rc1 commit 3f6dae09fc8c306eb70fdfef70726e1f154e173a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICLGDL CVE: CVE-2025-38312 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3f6dae09fc8c306eb70fdfef70726e1f154e173a -------------------------------- In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's then passed to fb_cvt_hperiod(), where it's used as a divider -- division by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to avoid such overflow... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Fixes: 96fe6a2109db ("[PATCH] fbdev: Add VESA Coordinated Video Timings (CVT) support") Signed-off-by: Sergey Shtylyov Signed-off-by: Helge Deller Signed-off-by: Xia Fukun --- drivers/video/fbdev/core/fbcvt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/core/fbcvt.c b/drivers/video/fbdev/core/fbcvt.c index 55d2bd0ce5c0..0b391c78467d 100644 --- a/drivers/video/fbdev/core/fbcvt.c +++ b/drivers/video/fbdev/core/fbcvt.c @@ -323,7 +323,7 @@ int fb_find_mode_cvt(struct fb_videomode *mode, int margins, int rb) cvt.f_refresh = cvt.refresh; cvt.interlace = 1; - if (!cvt.xres || !cvt.yres || !cvt.refresh) { + if (!cvt.xres || !cvt.yres || !cvt.refresh || cvt.f_refresh > INT_MAX) { printk(KERN_INFO "fbcvt: Invalid input parameters\n"); return 1; } -- Gitee