evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers/char
History
Kefeng Wang fe7d7592df hpet: Fix division by zero in hpet_time_div() 
commit 0c7d37f4d9b8446956e97b7c5e61173cdb7c8522 upstream.

The base value in do_div() called by hpet_time_div() is truncated from
unsigned long to uint32_t, resulting in a divide-by-zero exception.

UBSAN: Undefined behaviour in ../drivers/char/hpet.c:572:2
division by zero
CPU: 1 PID: 23682 Comm: syz-executor.3 Not tainted 4.4.184.x86_64+ #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
 0000000000000000 b573382df1853d00 ffff8800a3287b98 ffffffff81ad7561
 ffff8800a3287c00 ffffffff838b35b0 ffffffff838b3860 ffff8800a3287c20
 0000000000000000 ffff8800a3287bb0 ffffffff81b8f25e ffffffff838b35a0
Call Trace:
 [<ffffffff81ad7561>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81ad7561>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff81b8f25e>] ubsan_epilogue+0x12/0x8d lib/ubsan.c:166
 [<ffffffff81b900cb>] __ubsan_handle_divrem_overflow+0x282/0x2c8 lib/ubsan.c:262
 [<ffffffff823560dd>] hpet_time_div drivers/char/hpet.c:572 [inline]
 [<ffffffff823560dd>] hpet_ioctl_common drivers/char/hpet.c:663 [inline]
 [<ffffffff823560dd>] hpet_ioctl_common.cold+0xa8/0xad drivers/char/hpet.c:577
 [<ffffffff81e63d56>] hpet_ioctl+0xc6/0x180 drivers/char/hpet.c:676
 [<ffffffff81711590>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff81711590>] file_ioctl fs/ioctl.c:470 [inline]
 [<ffffffff81711590>] do_vfs_ioctl+0x6e0/0xf70 fs/ioctl.c:605
 [<ffffffff81711eb4>] SYSC_ioctl fs/ioctl.c:622 [inline]
 [<ffffffff81711eb4>] SyS_ioctl+0x94/0xc0 fs/ioctl.c:613
 [<ffffffff82846003>] tracesys_phase2+0x90/0x95

The main C reproducer autogenerated by syzkaller,

  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  memcpy((void*)0x20000100, "/dev/hpet\000", 10);
  syscall(__NR_openat, 0xffffffffffffff9c, 0x20000100, 0, 0);
  syscall(__NR_ioctl, r[0], 0x40086806, 0x40000000000000);

Fix it by using div64_ul().

Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: Zhang HongJun <zhanghongjun2@huawei.com>
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20190711132757.130092-1-wangkefeng.wang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-08-04 09:35:00 +02:00
..
agp agp/intel: Flush all chipset writes after updating the GGTT 2018-03-22 09:23:29 +01:00
hw_random hwrng: virtio - Avoid repeated init of completion 2019-04-27 09:33:52 +02:00
ipmi ipmi:ssif: compare block number correctly for multi-part return messages 2019-06-11 12:23:39 +02:00
mwave char/mwave: fix potential Spectre v1 vulnerability 2019-02-06 19:43:04 +01:00
pcmcia pcmcia: remove left-over %Z format 2017-06-07 12:06:01 +02:00
tpm tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete 2019-04-27 09:34:00 +02:00
xilinx_hwicap
xillybus
apm-emulation.c
applicom.c applicom: Fix potential Spectre v1 vulnerabilities 2019-03-23 08:44:23 +01:00
applicom.h
bfin-otp.c
bsr.c
ds1302.c
ds1620.c
dsp56k.c
dtlk.c
efirtc.c
generic_nvram.c
genrtc.c
hangcheck-timer.c
hpet.c hpet: Fix division by zero in hpet_time_div() 2019-08-04 09:35:00 +02:00
Kconfig tty: mark Siemens R3964 line discipline as BROKEN 2019-04-27 09:33:54 +02:00
lp.c char: lp: fix possible integer overflow in lp_setup() 2017-05-25 14:30:07 +02:00
Makefile
mbcs.c
mbcs.h
mem.c x86/mm/pat, /dev/mem: Remove superfluous error message 2018-01-17 09:35:28 +01:00
misc.c
mmtimer.c
mspec.c
nsc_gpio.c
nvram.c
nwbutton.c
nwbutton.h
nwflash.c
pc8736x_gpio.c
ppdev.c
ps3flash.c
random.c random: mix rdrand with entropy sent in from userspace 2018-08-06 16:24:40 +02:00
raw.c
rtc.c
scx200_gpio.c
snsc.c
snsc.h
snsc_event.c
sonypi.c
tb0219.c
tile-srom.c
tlclk.c
toshiba.c
ttyprintk.c
uv_mmtimer.c
virtio_console.c virtio_console: initialize vtermno value for ports 2019-06-11 12:24:04 +02:00