shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-04-02 11:13:02 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
ec565611f930bca36719f046d28f94de0384a4a9
linux/drivers
History
Kefeng Wang 0cbed4f1c6 hpet: Fix division by zero in hpet_time_div() 
commit 0c7d37f4d9 upstream.

The base value in do_div() called by hpet_time_div() is truncated from
unsigned long to uint32_t, resulting in a divide-by-zero exception.

UBSAN: Undefined behaviour in ../drivers/char/hpet.c:572:2
division by zero
CPU: 1 PID: 23682 Comm: syz-executor.3 Not tainted 4.4.184.x86_64+ #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
 0000000000000000 b573382df1853d00 ffff8800a3287b98 ffffffff81ad7561
 ffff8800a3287c00 ffffffff838b35b0 ffffffff838b3860 ffff8800a3287c20
 0000000000000000 ffff8800a3287bb0 ffffffff81b8f25e ffffffff838b35a0
Call Trace:
 [<ffffffff81ad7561>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81ad7561>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff81b8f25e>] ubsan_epilogue+0x12/0x8d lib/ubsan.c:166
 [<ffffffff81b900cb>] __ubsan_handle_divrem_overflow+0x282/0x2c8 lib/ubsan.c:262
 [<ffffffff823560dd>] hpet_time_div drivers/char/hpet.c:572 [inline]
 [<ffffffff823560dd>] hpet_ioctl_common drivers/char/hpet.c:663 [inline]
 [<ffffffff823560dd>] hpet_ioctl_common.cold+0xa8/0xad drivers/char/hpet.c:577
 [<ffffffff81e63d56>] hpet_ioctl+0xc6/0x180 drivers/char/hpet.c:676
 [<ffffffff81711590>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff81711590>] file_ioctl fs/ioctl.c:470 [inline]
 [<ffffffff81711590>] do_vfs_ioctl+0x6e0/0xf70 fs/ioctl.c:605
 [<ffffffff81711eb4>] SYSC_ioctl fs/ioctl.c:622 [inline]
 [<ffffffff81711eb4>] SyS_ioctl+0x94/0xc0 fs/ioctl.c:613
 [<ffffffff82846003>] tracesys_phase2+0x90/0x95

The main C reproducer autogenerated by syzkaller,

  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  memcpy((void*)0x20000100, "/dev/hpet\000", 10);
  syscall(__NR_openat, 0xffffffffffffff9c, 0x20000100, 0, 0);
  syscall(__NR_ioctl, r[0], 0x40086806, 0x40000000000000);

Fix it by using div64_ul().

Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: Zhang HongJun <zhanghongjun2@huawei.com>
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20190711132757.130092-1-wangkefeng.wang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-08-04 09:33:43 +02:00
..
accessibility
acpi
x86/cpu: Sanitize FAM6_ATOM naming
2019-05-14 19:19:34 +02:00
amba
ARM: amba: Don't read past the end of sysfs "driver_override" buffer
2018-05-01 15:13:08 -07:00
android
binder: replace "%p" with "%pK"
2019-06-11 12:22:44 +02:00
ata
libata: don't request sense data on !ZAC ATA devices
2019-08-04 09:33:22 +02:00
atm
atm: he: fix sign-extension overflow on large shift
2019-02-27 10:06:59 +01:00
auxdisplay
auxdisplay: img-ascii-lcd: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
2018-02-13 12:35:55 +01:00
base
regmap: fix bulk writes on paged registers
2019-08-04 09:33:19 +02:00
bcma
bcma: use (get|put)_device when probing/removing device driver
2017-03-12 06:41:52 +01:00
block
floppy: fix out-of-bounds read in copy_buffer
2019-08-04 09:33:29 +02:00
bluetooth
Bluetooth: hci_bcsp: Fix memory leak in rx_skb
2019-08-04 09:33:24 +02:00
bus
bus: arm-cci: remove unnecessary unreachable()
2018-12-05 19:42:41 +01:00
cdrom
cdrom: Fix race condition in cdrom_sysctl_register
2019-04-05 22:29:12 +02:00
char
hpet: Fix division by zero in hpet_time_div()
2019-08-04 09:33:43 +02:00
clk
clk: sunxi: fix uninitialized access
2019-07-10 09:55:44 +02:00
clocksource
clocksource/drivers/exynos_mct: Increase priority over ARM arch timer
2019-08-04 09:33:22 +02:00
connector
cpufreq
cpufreq: pmac32: fix possible object reference leak
2019-05-31 06:48:27 -07:00
cpuidle
cpuidle: big.LITTLE: fix refcount leak
2019-02-12 19:44:55 +01:00
crypto
crypto: caam - limit output IV to CBC to work around CTR mode DMA issue
2019-08-04 09:33:30 +02:00
dax
device-dax: implement ->split() to catch invalid munmap attempts
2018-02-28 10:18:33 +01:00
dca
devfreq
PM / devfreq: Fix potential NULL pointer dereference in governor_store
2018-04-13 19:48:09 +02:00
dio
dma
dmaengine: imx-sdma: fix use-after-free on probe error path
2019-08-04 09:33:14 +02:00
dma-buf
dma-buf: remove redundant initialization of sg_table
2018-06-06 16:44:33 +02:00
edac
EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
2019-08-04 09:33:23 +02:00
eisa
extcon
extcon: arizona: Disable mic detect if running when driver is removed
2019-05-31 06:48:26 -07:00
firewire
firewire-ohci: work around oversized DMA reads on JMicron controllers
2018-05-30 07:50:18 +02:00
firmware
efi/libstub: Unify command line param parsing
2019-06-11 12:22:45 +02:00
fmc
fpga
gpio
gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants
2019-08-04 09:33:24 +02:00
gpu
drm/rockchip: Properly adjust to a true clock in adjusted_mode
2019-08-04 09:33:38 +02:00
hid
HID: core: move Usage Page concatenation to Main item
2019-05-31 06:48:29 -07:00
hsi
HSI: ssi_protocol: double free in ssip_pn_xmit()
2018-03-24 11:00:12 +01:00
hv
Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
2018-12-29 13:40:15 +01:00
hwmon
hwmon: (pmbus/core) Treat parameters as paged if on multiple pages
2019-07-10 09:55:32 +02:00
hwspinlock
hwtracing
intel_th: msu: Fix single mode with disabled IOMMU
2019-08-04 09:33:31 +02:00
i2c
i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr
2019-06-22 08:17:23 +02:00
ide
ide: pmac: add of_node_put()
2018-12-21 14:11:37 +01:00
idle
x86/cpu: Sanitize FAM6_ATOM naming
2019-05-14 19:19:34 +02:00
iio
iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data
2019-05-31 06:48:27 -07:00
infiniband
RDMA/rxe: Fill in wc byte_len with IB_WC_RECV_RDMA_WITH_IMM
2019-08-04 09:33:40 +02:00
input
Input: gtco - bounds check collection indent level
2019-08-04 09:33:26 +02:00
iommu
iommu/vt-d: Set intel_iommu_gfx_mapped correctly
2019-06-22 08:17:14 +02:00
ipack
ipack: print a hex number after a 0x prefix
2016-10-27 18:43:43 -07:00
irqchip
Revert "MIPS: perf: ath79: Fix perfcount IRQ assignment"
2019-06-11 12:22:48 +02:00
isdn
mISDN: make sure device name is NUL terminated
2019-06-22 08:17:22 +02:00
leds
leds: pca9532: fix a potential NULL pointer dereference
2019-05-04 08:49:10 +02:00
lguest
lightnvm
Merge branch 'for-4.9/block' of git://git.kernel.dk/linux-block
2016-10-07 14:42:05 -07:00
macintosh
macintosh/rack-meter: Convert cputime64_t use to u64
2018-10-20 09:51:32 +02:00
mailbox
mailbox: handle failed named mailbox channel request
2019-08-04 09:33:41 +02:00
mcb
MCB: add support for SC31 to mcb-lpc
2017-09-09 17:39:41 +02:00
md
dm bufio: fix deadlock with loop device
2019-08-04 09:33:32 +02:00
media
media: coda: Remove unbalanced and unneeded mutex unlock
2019-08-04 09:33:27 +02:00
memory
memory: tegra: Fix integer overflow on tick value calculation
2019-05-25 18:26:49 +02:00
memstick
memstick: Fix error cleanup path of memstick_init
2019-08-04 09:33:37 +02:00
message
scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo()
2018-05-25 16:13:06 +02:00
mfd
mfd: hi655x-pmic: Fix missing return value check for devm_regmap_init_mmio_clk
2019-08-04 09:33:39 +02:00
misc
VMCI: Fix integer overflow in VMCI handle arrays
2019-07-21 09:06:03 +02:00
mmc
mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support
2019-05-31 06:48:25 -07:00
mtd
mtd: rawnand: gpmi: fix MX28 bus master lockup problem
2019-02-15 08:07:37 +01:00
net
bonding: validate ip header before check IPPROTO_IGMP
2019-08-04 09:33:35 +02:00
nfc
spi: ST ST95HF NFC: declare missing of table
2019-05-16 19:43:43 +02:00
ntb
ntb_transport: Fix bug with max_mw_size parameter
2018-05-30 07:50:22 +02:00
nubus
nvdimm
libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields
2019-08-04 09:33:29 +02:00
nvme
nvme: Fix u32 overflow in the number of namespace list calculation
2019-07-10 09:55:32 +02:00
nvmem
nvmem: core: fix read buffer in place
2019-06-22 08:17:15 +02:00
of
of: add helper to lookup compatible child node
2018-12-01 09:44:21 +01:00
oprofile
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2016-10-10 20:16:43 -07:00
parisc
parisc: Use implicit space register selection for loading the coherence index of I/O pdirs
2019-06-11 12:22:47 +02:00
parport
parport: Fix mem leak in parport_register_dev_model
2019-07-10 09:55:29 +02:00
pci
PCI: xilinx-nwl: Fix Multi MSI data programming
2019-08-04 09:33:38 +02:00
pcmcia
pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges
2018-11-13 11:16:46 -08:00
perf
drivers/perf: arm_pmu: handle no platform_device
2018-03-22 09:17:51 +01:00
phy
phy: renesas: rcar-gen2: Fix memory leak at error paths
2019-08-04 09:33:37 +02:00
pinctrl
pinctrl: rockchip: fix leaked of_node references
2019-08-04 09:33:36 +02:00
platform
platform/x86: intel_pmc_ipc: adding error handling
2019-06-22 08:17:16 +02:00
pnp
power
power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG
2019-05-25 18:26:56 +02:00
powercap
x86/cpu: Sanitize FAM6_ATOM naming
2019-05-14 19:19:34 +02:00
pps
pps: kc: fix non-tickless system config dependency
2016-10-11 15:06:32 -07:00
ps3
ptp
ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl
2019-02-12 19:44:52 +01:00
pwm
pwm: Fix deadlock warning when removing PWM device
2019-06-22 08:17:17 +02:00
rapidio
rapidio: fix a NULL pointer dereference when create_workqueue() fails
2019-06-22 08:17:11 +02:00
ras
regulator
regulator: s2mps11: Fix buck7 and buck8 wrong voltages
2019-08-04 09:33:26 +02:00
remoteproc
remoteproc: qcom: mdt_loader: Don't overwrite firmware object
2017-03-12 06:41:50 +01:00
reset
reset: make device_reset_optional() really optional
2018-12-08 13:05:08 +01:00
rpmsg
rpmsg: smd: fix memory leak on channel create
2018-11-13 11:17:03 -08:00
rtc
rtc: pcf8523: don't return invalid date when battery is low
2019-06-22 08:17:21 +02:00
s390
s390/qdio: handle PENDING state for QEBSM devices
2019-08-04 09:33:18 +02:00
sbus
drivers/sbus/char: add of_node_put()
2018-12-21 14:11:36 +01:00
scsi
scsi: mac_scsi: Increase PIO/PDMA transfer length threshold
2019-08-04 09:33:25 +02:00
sfi
sh
sn
soc
soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher
2019-06-22 08:17:15 +02:00
spi
spi: bitbang: Fix NULL pointer dereference in spi_unregister_master
2019-07-10 09:55:43 +02:00
spmi
spmi: Include OF based modalias in device uevent
2017-07-27 15:08:08 -07:00
ssb
ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit
2019-05-31 06:48:12 -07:00
staging
media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails.
2019-08-04 09:33:17 +02:00
target
scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock
2019-03-23 13:19:47 +01:00
tc
TC: Set DMA masks for devices
2018-11-13 11:17:02 -08:00
thermal
drivers: thermal: tsens: Don't print error message on -EPROBE_DEFER
2019-06-22 08:17:13 +02:00
thunderbolt
thunderbolt: Resume control channel after hibernation image is created
2018-04-24 09:34:12 +02:00
tty
serial: sh-sci: Fix TX DMA buffer flushing and workqueue races
2019-08-04 09:33:40 +02:00
uio
uio: Fix an Oops on load
2018-11-27 16:09:41 +01:00
usb
usb: pci-quirks: Correct AMD PLL quirk detection
2019-08-04 09:33:42 +02:00
uwb
uwb: hwa-rc: fix memory leak at probe
2018-10-03 17:01:42 -07:00
vfio
vfio/pci: use correct format characters
2019-05-08 07:19:10 +02:00
vhost
vhost_net: disable zerocopy by default
2019-08-04 09:33:20 +02:00
video
video: imsttfb: fix potential NULL pointer dereferences
2019-06-22 08:17:17 +02:00
virt
drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
2019-05-16 19:43:47 +02:00
virtio
virtio: Honour 'may_reduce_num' in vring_create_virtqueue
2019-04-17 08:36:47 +02:00
vlynq
vme
VME: restore bus_remove function causing incomplete module unload
2017-03-12 06:41:50 +01:00
w1
w1: fix the resume command API
2019-05-31 06:48:15 -07:00
watchdog
watchdog: fix compile time error of pretimeout governors
2019-06-22 08:17:14 +02:00
xen
xen: let alloc_xenballooned_pages() fail if not enough memory free
2019-08-04 09:33:25 +02:00
zorro
zorro: Set up z->dev.dma_mask for the DMA API
2018-05-30 07:50:44 +02:00
Kconfig
Makefile
usb: build drivers/usb/common/ when USB_SUPPORT is set
2018-02-25 11:05:45 +01:00