cve/published/2021/CVE-2021-47641.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47641: video: fbdev: cirrusfb: check pixclock to avoid divide by zero

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 video: fbdev: cirrusfb: check pixclock to avoid divide by zero

 Do a sanity check on pixclock value to avoid divide by zero.

 If the pixclock value is zero, the cirrusfb driver will round up
 pixclock to get the derived frequency as close to maxclock as
 possible.

 Syzkaller reported a divide error in cirrusfb_check_pixclock.

 divide error: 0000 [#1] SMP KASAN PTI
 CPU: 0 PID: 14938 Comm: cirrusfb_test Not tainted 5.15.0-rc6 #1
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2
 RIP: 0010:cirrusfb_check_var+0x6f1/0x1260

 Call Trace:
  fb_set_var+0x398/0xf90
  do_fb_ioctl+0x4b8/0x6f0
  fb_ioctl+0xeb/0x130
  __x64_sys_ioctl+0x19d/0x220
  do_syscall_64+0x3a/0x80
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 The Linux kernel CVE team has assigned CVE-2021-47641 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.9.311 with commit c656d04247a2654ede5cead2ecbf83431dad5261
 	Fixed in 4.14.276 with commit 1d3fb46439ad4e8f0c5739eb33d1875ac9e0f135
 	Fixed in 4.19.238 with commit 40b13e3d85744210db13457785646634e2d056bd
 	Fixed in 5.4.189 with commit 53a2088a396cfa1da92690a1da289634cd73bf0d
 	Fixed in 5.10.110 with commit 8c7e2141fb89c620ab4e41512e262fbf25b8260d
 	Fixed in 5.15.33 with commit 6fe23ff94e7840097202e85c148688940b37c9b1
 	Fixed in 5.16.19 with commit 45800c42ef000f417270bcfc08630e42486fca99
 	Fixed in 5.17.2 with commit e498b504f8c81b07efab9febf8503448de4dc9cf
 	Fixed in 5.18 with commit 5c6f402bdcf9e7239c6bc7087eda71ac99b31379

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47641
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/video/fbdev/cirrusfb.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c656d04247a2654ede5cead2ecbf83431dad5261
 	https://git.kernel.org/stable/c/1d3fb46439ad4e8f0c5739eb33d1875ac9e0f135
 	https://git.kernel.org/stable/c/40b13e3d85744210db13457785646634e2d056bd
 	https://git.kernel.org/stable/c/53a2088a396cfa1da92690a1da289634cd73bf0d
 	https://git.kernel.org/stable/c/8c7e2141fb89c620ab4e41512e262fbf25b8260d
 	https://git.kernel.org/stable/c/6fe23ff94e7840097202e85c148688940b37c9b1
 	https://git.kernel.org/stable/c/45800c42ef000f417270bcfc08630e42486fca99
 	https://git.kernel.org/stable/c/e498b504f8c81b07efab9febf8503448de4dc9cf
 	https://git.kernel.org/stable/c/5c6f402bdcf9e7239c6bc7087eda71ac99b31379
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47641: video: fbdev: cirrusfb: check pixclock to avoid divide by zero

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	video: fbdev: cirrusfb: check pixclock to avoid divide by zero

	Do a sanity check on pixclock value to avoid divide by zero.

	If the pixclock value is zero, the cirrusfb driver will round up
	pixclock to get the derived frequency as close to maxclock as
	possible.

	Syzkaller reported a divide error in cirrusfb_check_pixclock.

	divide error: 0000 [#1] SMP KASAN PTI
	CPU: 0 PID: 14938 Comm: cirrusfb_test Not tainted 5.15.0-rc6 #1
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2
	RIP: 0010:cirrusfb_check_var+0x6f1/0x1260

	Call Trace:
	fb_set_var+0x398/0xf90
	do_fb_ioctl+0x4b8/0x6f0
	fb_ioctl+0xeb/0x130
	__x64_sys_ioctl+0x19d/0x220
	do_syscall_64+0x3a/0x80
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	The Linux kernel CVE team has assigned CVE-2021-47641 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.9.311 with commit c656d04247a2654ede5cead2ecbf83431dad5261
	Fixed in 4.14.276 with commit 1d3fb46439ad4e8f0c5739eb33d1875ac9e0f135
	Fixed in 4.19.238 with commit 40b13e3d85744210db13457785646634e2d056bd
	Fixed in 5.4.189 with commit 53a2088a396cfa1da92690a1da289634cd73bf0d
	Fixed in 5.10.110 with commit 8c7e2141fb89c620ab4e41512e262fbf25b8260d
	Fixed in 5.15.33 with commit 6fe23ff94e7840097202e85c148688940b37c9b1
	Fixed in 5.16.19 with commit 45800c42ef000f417270bcfc08630e42486fca99
	Fixed in 5.17.2 with commit e498b504f8c81b07efab9febf8503448de4dc9cf
	Fixed in 5.18 with commit 5c6f402bdcf9e7239c6bc7087eda71ac99b31379

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47641
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/video/fbdev/cirrusfb.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c656d04247a2654ede5cead2ecbf83431dad5261
	https://git.kernel.org/stable/c/1d3fb46439ad4e8f0c5739eb33d1875ac9e0f135
	https://git.kernel.org/stable/c/40b13e3d85744210db13457785646634e2d056bd
	https://git.kernel.org/stable/c/53a2088a396cfa1da92690a1da289634cd73bf0d
	https://git.kernel.org/stable/c/8c7e2141fb89c620ab4e41512e262fbf25b8260d
	https://git.kernel.org/stable/c/6fe23ff94e7840097202e85c148688940b37c9b1
	https://git.kernel.org/stable/c/45800c42ef000f417270bcfc08630e42486fca99
	https://git.kernel.org/stable/c/e498b504f8c81b07efab9febf8503448de4dc9cf
	https://git.kernel.org/stable/c/5c6f402bdcf9e7239c6bc7087eda71ac99b31379