From mboxrd@z Thu Jan  1 00:00:00 1970
From: akpm@linux-foundation.org
Subject: [patch for 2.6.33? 1/2] drivers/gpu/vga/vgaarb.c: fix userspace
	pointer dereference
Date: Tue, 02 Feb 2010 14:11:22 -0800
Message-ID: <201002022211.o12MBMj2017456@imap1.linux-foundation.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <dri-devel-bounces@lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=dri-devel>
List-Post: <mailto:dri-devel@lists.sourceforge.net>
List-Help: <mailto:dri-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: dri-devel-bounces@lists.sourceforge.net
To: airlied@linux.ie
Cc: akpm@linux-foundation.org, dri-devel@lists.sourceforge.net, james.getzendanner@students.olin.edu, jbarnes@virtuousgeek.org, stable@kernel.org
List-Id: dri-devel@lists.freedesktop.org

From: Andy Getzendanner <james.getzendanner@students.olin.edu>

This patch corrects a userspace pointer dereference in the VGA arbiter
in 2.6.32.1.

copy_from_user() is used at line 822 to copy the contents of buf into
kbuf, but a call to strncmp() on line 964 uses buf rather than kbuf.  This
problem led to a GPF in strncmp() when X was started on my x86_32 systems.
 X triggered the behavior with a write of "target PCI:0000:01:00.0" to
/dev/vga_arbiter.

The patch has been tested against 2.6.32.1 and observed to correct the GPF
observed when starting X or manually writing the string "target
PCI:0000:01:00.0" to /dev/vga_arbiter.

Signed-off-by: Andy Getzendanner <james.getzendanner@students.olin.edu>
Cc: Dave Airlie <airlied@linux.ie>
Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 drivers/gpu/vga/vgaarb.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff -puN drivers/gpu/vga/vgaarb.c~drivers-gpu-vga-vgaarbc-fix-userspace-pointer-dereference drivers/gpu/vga/vgaarb.c
--- a/drivers/gpu/vga/vgaarb.c~drivers-gpu-vga-vgaarbc-fix-userspace-pointer-dereference
+++ a/drivers/gpu/vga/vgaarb.c
@@ -961,7 +961,7 @@ static ssize_t vga_arb_write(struct file
 		remaining -= 7;
 		pr_devel("client 0x%p called 'target'\n", priv);
 		/* if target is default */
-		if (!strncmp(buf, "default", 7))
+		if (!strncmp(kbuf, "default", 7))
 			pdev = pci_dev_get(vga_default_device());
 		else {
 			if (!vga_pci_str_to_vars(curr_pos, remaining,
_

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
--