Hi,
On 5/16/21 4:27 PM, Anirudh Rayabharam wrote:
The return value of hga_card_detect() is not properly handled causing the probe to succeed even though hga_card_detect() failed. Since probe succeeds, hgafb_open() can be called which will end up operating on an unmapped hga_vram. This results in an out-of-bounds access as reported by kernel test robot [1].
To fix this, correctly detect failure of hga_card_detect() by checking for a non-zero error code.
Reported-by: kernel test robot oliver.sang@intel.com Fixes: dc13cac4862c ("video: hgafb: fix potential NULL pointer dereference") Cc: stable stable@vger.kernel.org Signed-off-by: Anirudh Rayabharam mail@anirudhrb.com
drivers/video/fbdev/hgafb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/hgafb.c b/drivers/video/fbdev/hgafb.c index cc8e62ae93f6..bd3d07aa4f0e 100644 --- a/drivers/video/fbdev/hgafb.c +++ b/drivers/video/fbdev/hgafb.c @@ -558,7 +558,7 @@ static int hgafb_probe(struct platform_device *pdev) int ret; ret = hga_card_detect();
- if (!ret)
- if (ret) return ret;
printk(KERN_INFO "hgafb: %s with %ldK of memory detected.\n",
In fact, this return isn't being properly handled. Thanks for fix it!
Reviewed-by: Igor Matheus Andrade Torrente igormtorrente@gmail.com