vgaarb: fix incorrect dereference of userspace pointer.
not in 2.6.32.9 but was sent to stable and most probably in .10 svn path=/dists/sid/linux-2.6/; revision=15231
This commit is contained in:
parent
eeba5295fa
commit
5c9ceda5a7
|
@ -23,7 +23,8 @@ linux-2.6 (2.6.32-9) UNRELEASED; urgency=low
|
||||||
- futex_lock_pi() key refcnt fix. (CVE-2010-0623)
|
- futex_lock_pi() key refcnt fix. (CVE-2010-0623)
|
||||||
- Staging: fix rtl8187se compilation errors with mac80211.
|
- Staging: fix rtl8187se compilation errors with mac80211.
|
||||||
(closes: #566726)
|
(closes: #566726)
|
||||||
* r8169 patch for rx length check errors. (CVE-2009-4537)
|
* r8169 patch for rx length check errors. (CVE-2009-4537)
|
||||||
|
* vgaarb: fix incorrect dereference of userspace pointer.
|
||||||
|
|
||||||
[ Bastian Blank ]
|
[ Bastian Blank ]
|
||||||
* Restrict access to sensitive SysRq keys by default.
|
* Restrict access to sensitive SysRq keys by default.
|
||||||
|
|
43
debian/patches/bugfix/all/vgaarb-fix-incorrect-dereference-of-userspace-pointe.patch
vendored
Normal file
43
debian/patches/bugfix/all/vgaarb-fix-incorrect-dereference-of-userspace-pointe.patch
vendored
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
From 77c1ff3982c6b36961725dd19e872a1c07df7f3b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andy Getzendanner <james.getzendanner@students.olin.edu>
|
||||||
|
Date: Thu, 11 Feb 2010 14:04:48 +1000
|
||||||
|
Subject: [PATCH] vgaarb: fix incorrect dereference of userspace pointer.
|
||||||
|
|
||||||
|
This patch corrects a userspace pointer dereference in the VGA arbiter
|
||||||
|
in 2.6.32.1.
|
||||||
|
|
||||||
|
copy_from_user() is used at line 822 to copy the contents of buf into
|
||||||
|
kbuf, but a call to strncmp() on line 964 uses buf rather than kbuf. This
|
||||||
|
problem led to a GPF in strncmp() when X was started on my x86_32 systems.
|
||||||
|
X triggered the behavior with a write of "target PCI:0000:01:00.0" to
|
||||||
|
/dev/vga_arbiter.
|
||||||
|
|
||||||
|
The patch has been tested against 2.6.32.1 and observed to correct the GPF
|
||||||
|
observed when starting X or manually writing the string "target
|
||||||
|
PCI:0000:01:00.0" to /dev/vga_arbiter.
|
||||||
|
|
||||||
|
Signed-off-by: Andy Getzendanner <james.getzendanner@students.olin.edu>
|
||||||
|
Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
|
||||||
|
Cc: <stable@kernel.org>
|
||||||
|
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||||
|
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
||||||
|
---
|
||||||
|
drivers/gpu/vga/vgaarb.c | 2 +-
|
||||||
|
1 files changed, 1 insertions(+), 1 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c
|
||||||
|
index 1ac0c93..24b56dc 100644
|
||||||
|
--- a/drivers/gpu/vga/vgaarb.c
|
||||||
|
+++ b/drivers/gpu/vga/vgaarb.c
|
||||||
|
@@ -961,7 +961,7 @@ static ssize_t vga_arb_write(struct file *file, const char __user * buf,
|
||||||
|
remaining -= 7;
|
||||||
|
pr_devel("client 0x%p called 'target'\n", priv);
|
||||||
|
/* if target is default */
|
||||||
|
- if (!strncmp(buf, "default", 7))
|
||||||
|
+ if (!strncmp(kbuf, "default", 7))
|
||||||
|
pdev = pci_dev_get(vga_default_device());
|
||||||
|
else {
|
||||||
|
if (!vga_pci_str_to_vars(curr_pos, remaining,
|
||||||
|
--
|
||||||
|
1.6.6.1
|
||||||
|
|
|
@ -13,3 +13,4 @@
|
||||||
- bugfix/x86/kvm-pit-control-word-is-write-only.patch
|
- bugfix/x86/kvm-pit-control-word-is-write-only.patch
|
||||||
+ bugfix/all/stable/2.6.32.9-rc1.patch
|
+ bugfix/all/stable/2.6.32.9-rc1.patch
|
||||||
+ bugfix/all/net-r8169-improved-rx-length-check-errors.patch
|
+ bugfix/all/net-r8169-improved-rx-length-check-errors.patch
|
||||||
|
+ bugfix/all/vgaarb-fix-incorrect-dereference-of-userspace-pointe.patch
|
||||||
|
|
Loading…
Reference in New Issue