[patch 30/54] neofb: Fix pseudo_palette array overrun in neofb_setcolreg

From: Chris Wright
Date: Fri Jun 08 2007 - 03:40:46 EST


-stable review patch. If anyone has any objections, please let us know.
---------------------

From: Antonino A Daplas <adaplas@xxxxxxxxx>

The pseudo_palette has room for 16 entries only, but in truecolor mode, it
attempts to write 256.

Signed-off-by: Antonino Daplas <adaplas@xxxxxxxxx>
Acked-by: Tero Roponen <teanropo@xxxxxx>
Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
This fixes the following regression/bug reported as follows:

Subject : tty-related oops in latest kernel(s)
References : http://lkml.org/lkml/2007/5/27/104
Submitter : Tero Roponen <teanropo@xxxxxx>
Status : problem is being debugged

According to Tero, this is also reproducible with 2.6.21.3.

(Resending, wrong email address for stable@xxxxxxxxxx)

Tony

drivers/video/neofb.c | 30 ++++++++++++++++--------------
1 file changed, 16 insertions(+), 14 deletions(-)

--- linux-2.6.21.4.orig/drivers/video/neofb.c
+++ linux-2.6.21.4/drivers/video/neofb.c
@@ -1285,34 +1285,36 @@ static int neofb_setcolreg(u_int regno,
if (regno >= fb->cmap.len || regno > 255)
return -EINVAL;

- switch (fb->var.bits_per_pixel) {
- case 8:
+ if (fb->var.bits_per_pixel <= 8) {
outb(regno, 0x3c8);

outb(red >> 10, 0x3c9);
outb(green >> 10, 0x3c9);
outb(blue >> 10, 0x3c9);
- break;
- case 16:
- ((u32 *) fb->pseudo_palette)[regno] =
+ } else if (regno < 16) {
+ switch (fb->var.bits_per_pixel) {
+ case 16:
+ ((u32 *) fb->pseudo_palette)[regno] =
((red & 0xf800)) | ((green & 0xfc00) >> 5) |
((blue & 0xf800) >> 11);
- break;
- case 24:
- ((u32 *) fb->pseudo_palette)[regno] =
+ break;
+ case 24:
+ ((u32 *) fb->pseudo_palette)[regno] =
((red & 0xff00) << 8) | ((green & 0xff00)) |
((blue & 0xff00) >> 8);
- break;
+ break;
#ifdef NO_32BIT_SUPPORT_YET
- case 32:
- ((u32 *) fb->pseudo_palette)[regno] =
+ case 32:
+ ((u32 *) fb->pseudo_palette)[regno] =
((transp & 0xff00) << 16) | ((red & 0xff00) << 8) |
((green & 0xff00)) | ((blue & 0xff00) >> 8);
- break;
+ break;
#endif
- default:
- return 1;
+ default:
+ return 1;
+ }
}
+
return 0;
}


--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/