In function do_fb_ioctl(), the "arg" is the type of unsigned long,
and in "case FBIOBLANK:" this argument is casted into an int before
passig to fb_blank(). In fb_blank(), the comparision
if (blank > FB_BLANK_POWERDOWN) would be bypass if the original
"arg" is a large number, which is possible because it comes from
the user input. Fix this by adding the check before the function
call.

Signed-off-by: Yizhuo Zhai <yzhai...@ucr.edu>
---
 drivers/video/fbdev/core/fbmem.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 0fa7ede94fa6..d5dec24c4d16 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1162,6 +1162,11 @@ static long do_fb_ioctl(struct fb_info *info, unsigned 
int cmd,
        case FBIOBLANK:
                console_lock();
                lock_fb_info(info);
+               if (arg > FB_BLANK_POWERDOWN) {
+                       unlock_fb_info(info);
+                       console_unlock();
+                       return -EINVAL;
+               }
                ret = fb_blank(info, arg);
                /* might again call into fb_blank */
                fbcon_fb_blanked(info, arg);
-- 
2.25.1

Reply via email to