a7y18lte-ubports/android_kernel_samsung_a7y18lte
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2e201ee2eb
android_kernel_samsung_a7y1.../drivers/char
History
Kefeng Wang daedd90ab3 hpet: Fix division by zero in hpet_time_div() 
commit 0c7d37f4d9b8446956e97b7c5e61173cdb7c8522 upstream.

The base value in do_div() called by hpet_time_div() is truncated from
unsigned long to uint32_t, resulting in a divide-by-zero exception.

UBSAN: Undefined behaviour in ../drivers/char/hpet.c:572:2
division by zero
CPU: 1 PID: 23682 Comm: syz-executor.3 Not tainted 4.4.184.x86_64+ #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
 0000000000000000 b573382df1853d00 ffff8800a3287b98 ffffffff81ad7561
 ffff8800a3287c00 ffffffff838b35b0 ffffffff838b3860 ffff8800a3287c20
 0000000000000000 ffff8800a3287bb0 ffffffff81b8f25e ffffffff838b35a0
Call Trace:
 [<ffffffff81ad7561>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81ad7561>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff81b8f25e>] ubsan_epilogue+0x12/0x8d lib/ubsan.c:166
 [<ffffffff81b900cb>] __ubsan_handle_divrem_overflow+0x282/0x2c8 lib/ubsan.c:262
 [<ffffffff823560dd>] hpet_time_div drivers/char/hpet.c:572 [inline]
 [<ffffffff823560dd>] hpet_ioctl_common drivers/char/hpet.c:663 [inline]
 [<ffffffff823560dd>] hpet_ioctl_common.cold+0xa8/0xad drivers/char/hpet.c:577
 [<ffffffff81e63d56>] hpet_ioctl+0xc6/0x180 drivers/char/hpet.c:676
 [<ffffffff81711590>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff81711590>] file_ioctl fs/ioctl.c:470 [inline]
 [<ffffffff81711590>] do_vfs_ioctl+0x6e0/0xf70 fs/ioctl.c:605
 [<ffffffff81711eb4>] SYSC_ioctl fs/ioctl.c:622 [inline]
 [<ffffffff81711eb4>] SyS_ioctl+0x94/0xc0 fs/ioctl.c:613
 [<ffffffff82846003>] tracesys_phase2+0x90/0x95

The main C reproducer autogenerated by syzkaller,

  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  memcpy((void*)0x20000100, "/dev/hpet\000", 10);
  syscall(__NR_openat, 0xffffffffffffff9c, 0x20000100, 0, 0);
  syscall(__NR_ioctl, r[0], 0x40086806, 0x40000000000000);

Fix it by using div64_ul().

Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: Zhang HongJun <zhanghongjun2@huawei.com>
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20190711132757.130092-1-wangkefeng.wang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-04-06 20:16:43 +02:00
..
agp A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
hw_random hwrng: virtio - Avoid repeated init of completion 2020-04-06 14:52:15 +02:00
ipmi ipmi:ssif: compare block number correctly for multi-part return messages 2020-04-06 18:12:46 +02:00
mwave A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
pcmcia A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
tpm tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete 2020-04-06 15:49:13 +02:00
xilinx_hwicap A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
xillybus A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
apm-emulation.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
applicom.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
applicom.h A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
bfin-otp.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
bsr.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
ds1302.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
ds1620.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
dsp56k.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
dtlk.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
efirtc.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
generic_nvram.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
genrtc.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
hangcheck-timer.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
hpet.c hpet: Fix division by zero in hpet_time_div() 2020-04-06 20:16:43 +02:00
Kconfig tty: mark Siemens R3964 line discipline as BROKEN 2020-04-06 15:07:21 +02:00
knox_kap.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
lp.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
Makefile A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mbcs.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mbcs.h A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mem.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
misc.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mmtimer.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mspec.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mst_ctrl.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
nsc_gpio.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
nvram.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
nwbutton.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
nwbutton.h A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
nwflash.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
pc8736x_gpio.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
ppdev.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
ps3flash.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
random.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
raw.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
rtc.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
scx200_gpio.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
snsc_event.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
snsc.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
snsc.h A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
sonypi.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
tb0219.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
tile-srom.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
tlclk.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
toshiba.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
ttyprintk.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
uv_mmtimer.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
virtio_console.c virtio_console: initialize vtermno value for ports 2020-04-06 18:20:12 +02:00