[kernel] r15231 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

[Maximilian Attems]

Author: maks
Date: Fri Feb 19 18:16:03 2010
New Revision: 15231

Log:
vgaarb: fix incorrect dereference of userspace pointer.

not in 2.6.32.9 but was sent to stable and most probably in .10

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/vgaarb-fix-incorrect-dereference-of-userspace-pointe.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/9

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Fri Feb 19 18:07:27 2010	(r15230)
+++ dists/sid/linux-2.6/debian/changelog	Fri Feb 19 18:16:03 2010	(r15231)
@@ -23,7 +23,8 @@
     - futex_lock_pi() key refcnt fix. (CVE-2010-0623)
     - Staging: fix rtl8187se compilation errors with mac80211.
       (closes: #566726)
-  *  r8169 patch for rx length check errors. (CVE-2009-4537)
+  * r8169 patch for rx length check errors. (CVE-2009-4537)
+  * vgaarb: fix incorrect dereference of userspace pointer.
 
   [ Bastian Blank ]
   * Restrict access to sensitive SysRq keys by default.

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/vgaarb-fix-incorrect-dereference-of-userspace-pointe.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/vgaarb-fix-incorrect-dereference-of-userspace-pointe.patch	Fri Feb 19 18:16:03 2010	(r15231)
@@ -0,0 +1,43 @@
+From 77c1ff3982c6b36961725dd19e872a1c07df7f3b Mon Sep 17 00:00:00 2001
+From: Andy Getzendanner <james.getzendanner at students.olin.edu>
+Date: Thu, 11 Feb 2010 14:04:48 +1000
+Subject: [PATCH] vgaarb: fix incorrect dereference of userspace pointer.
+
+This patch corrects a userspace pointer dereference in the VGA arbiter
+in 2.6.32.1.
+
+copy_from_user() is used at line 822 to copy the contents of buf into
+kbuf, but a call to strncmp() on line 964 uses buf rather than kbuf.  This
+problem led to a GPF in strncmp() when X was started on my x86_32 systems.
+ X triggered the behavior with a write of "target PCI:0000:01:00.0" to
+/dev/vga_arbiter.
+
+The patch has been tested against 2.6.32.1 and observed to correct the GPF
+observed when starting X or manually writing the string "target
+PCI:0000:01:00.0" to /dev/vga_arbiter.
+
+Signed-off-by: Andy Getzendanner <james.getzendanner at students.olin.edu>
+Cc: Jesse Barnes <jbarnes at virtuousgeek.org>
+Cc: <stable at kernel.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+---
+ drivers/gpu/vga/vgaarb.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c
+index 1ac0c93..24b56dc 100644
+--- a/drivers/gpu/vga/vgaarb.c
++++ b/drivers/gpu/vga/vgaarb.c
+@@ -961,7 +961,7 @@ static ssize_t vga_arb_write(struct file *file, const char __user * buf,
+ 		remaining -= 7;
+ 		pr_devel("client 0x%p called 'target'\n", priv);
+ 		/* if target is default */
+-		if (!strncmp(buf, "default", 7))
++		if (!strncmp(kbuf, "default", 7))
+ 			pdev = pci_dev_get(vga_default_device());
+ 		else {
+ 			if (!vga_pci_str_to_vars(curr_pos, remaining,
+-- 
+1.6.6.1
+

Modified: dists/sid/linux-2.6/debian/patches/series/9
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/9	Fri Feb 19 18:07:27 2010	(r15230)
+++ dists/sid/linux-2.6/debian/patches/series/9	Fri Feb 19 18:16:03 2010	(r15231)
@@ -13,3 +13,4 @@
 - bugfix/x86/kvm-pit-control-word-is-write-only.patch
 + bugfix/all/stable/2.6.32.9-rc1.patch
 + bugfix/all/net-r8169-improved-rx-length-check-errors.patch
++ bugfix/all/vgaarb-fix-incorrect-dereference-of-userspace-pointe.patch