rpms/kernel/F-12 vgaarb-fix-incorrect-dereference-of-userspace-pointer.patch, NONE, 1.1.2.1 kernel.spec, 1.1960.2.19, 1.1960.2.20
Chuck Ebbert
cebbert at fedoraproject.org
Sun Feb 14 00:12:30 UTC 2010
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19625
Modified Files:
Tag: private-fedora-12-2_6_31
kernel.spec
Added Files:
Tag: private-fedora-12-2_6_31
vgaarb-fix-incorrect-dereference-of-userspace-pointer.patch
Log Message:
kernel: vgaarb: fix incorrect dereference of userspace pointer (#564246)
Always apply the patch git-linus.diff if it's not empty.
vgaarb-fix-incorrect-dereference-of-userspace-pointer.patch:
vgaarb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE vgaarb-fix-incorrect-dereference-of-userspace-pointer.patch ---
>From 77c1ff3982c6b36961725dd19e872a1c07df7f3b Mon Sep 17 00:00:00 2001
From: Andy Getzendanner <james.getzendanner at students.olin.edu>
Date: Thu, 11 Feb 2010 14:04:48 +1000
Subject: vgaarb: fix incorrect dereference of userspace pointer.
From: Andy Getzendanner <james.getzendanner at students.olin.edu>
commit 77c1ff3982c6b36961725dd19e872a1c07df7f3b upstream.
[ cebbert at redhat.com : trivial backport to Fedora 12 2.6.31 ]
[ patch not needed in upstream 2.6.31 ]
This patch corrects a userspace pointer dereference in the VGA arbiter
in 2.6.32.1.
copy_from_user() is used at line 822 to copy the contents of buf into
kbuf, but a call to strncmp() on line 964 uses buf rather than kbuf. This
problem led to a GPF in strncmp() when X was started on my x86_32 systems.
X triggered the behavior with a write of "target PCI:0000:01:00.0" to
/dev/vga_arbiter.
The patch has been tested against 2.6.32.1 and observed to correct the GPF
observed when starting X or manually writing the string "target
PCI:0000:01:00.0" to /dev/vga_arbiter.
Signed-off-by: Andy Getzendanner <james.getzendanner at students.olin.edu>
Cc: Jesse Barnes <jbarnes at virtuousgeek.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Dave Airlie <airlied at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
drivers/gpu/vga/vgaarb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/vga/vgaarb.c
+++ b/drivers/gpu/vga/vgaarb.c
@@ -961,7 +961,7 @@ static ssize_t vga_arb_write(struct file
remaining -= 7;
pr_devel("client 0x%X called 'target'\n", (int)priv);
/* if target is default */
- if (!strncmp(buf, "default", 7))
+ if (!strncmp(kbuf, "default", 7))
pdev = pci_dev_get(vga_default_device());
else {
if (!vga_pci_str_to_vars(curr_pos, remaining,
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-12/kernel.spec,v
retrieving revision 1.1960.2.19
retrieving revision 1.1960.2.20
diff -u -p -r1.1960.2.19 -r1.1960.2.20
--- kernel.spec 10 Feb 2010 23:11:30 -0000 1.1960.2.19
+++ kernel.spec 14 Feb 2010 00:12:28 -0000 1.1960.2.20
@@ -729,9 +729,11 @@ Patch1839: drm-radeon-misc-fixes.patch
Patch1900: linux-2.6-vga-arb.patch
Patch1901: drm-vga-arb.patch
Patch1902: drm-radeon-kms-arbiter-return-ignore.patch
+# RHBZ#564246
+Patch1903: vgaarb-fix-incorrect-dereference-of-userspace-pointer.patch
# make harmless fbcon debug less loud
-Patch1903: fbcon-lower-debug.patch
+Patch1910: fbcon-lower-debug.patch
# kludge to make ich9 e1000 work
Patch2000: linux-2.6-e1000-ich9.patch
@@ -1229,7 +1231,7 @@ make -f %{SOURCE20} VERSION=%{version} c
done
%endif
-#ApplyOptionalPatch git-linus.diff
+ApplyOptionalPatch git-linus.diff
# This patch adds a "make nonint_oldconfig" which is non-interactive and
# also gives a list of missing options at the end. Useful for automated
@@ -1480,6 +1482,8 @@ ApplyPatch drm-intel-no-tv-hotplug.patch
ApplyPatch linux-2.6-vga-arb.patch
ApplyPatch drm-vga-arb.patch
ApplyPatch drm-radeon-kms-arbiter-return-ignore.patch
+# RHBZ#564246
+ApplyPatch vgaarb-fix-incorrect-dereference-of-userspace-pointer.patch
# Lower debug level of fbcon handover messages (rh#538526)
ApplyPatch fbcon-lower-debug.patch
@@ -2216,7 +2220,21 @@ fi
# plz don't put in a version string unless you're going to tag
# and build.
+# Queued for 2.6.31.13:
+# More futex fixes (CVE-2010-0623)
+# Stuff we already have:
+# tty-fix-race-in-tty_fasync.patch
+# fnctl-f_modown-should-call-write_lock_irqsave-restore.patch
+# fix-race-in-tty_fasync_properly.patch
+# connector-delete-buggy-notification-code.patch
+# fix-crash-with-sys_move_pages.patch
+# futex-handle-user-space-corruption-gracefully.patch
+
%changelog
+* Sat Feb 13 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.31.12-174.2.20
+- kernel: vgaarb: fix incorrect dereference of userspace pointer (#564246)
+- Always apply the patch git-linus.diff if it's not empty.
+
* Wed Feb 10 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.31.12-174.2.19
- fix-race-in-tty_fasync_properly.patch: fix problems caused by the fix
for bug #559100
@@ -2236,7 +2254,7 @@ fi
* Tue Feb 09 2010 Kyle McMartin <kyle at redhat.com> 2.6.31.12-174.2.15
- futex-handle-user-space-corruption-gracefully.patch: Fix oops in
- the PI futex code. (rhbz#563091)
+ the PI futex code. (rhbz#563091) (CVE-2010-0622)
* Sun Feb 07 2010 Kyle McMartin <kyle at redhat.com>
- ext4-fix-dq_claim_space.patch: try to fix the quota WARN_ON that's currently
@@ -2252,7 +2270,7 @@ fi
* Sat Feb 06 2010 Kyle McMartin <kyle at redhat.com> 2.6.31.12-174.2.11
- fix-crash-with-sys_move_pages.patch: sys_move_pages doesn't bounds
- check the node properly.
+ check the node properly. (CVE-2010-0415)
* Sat Feb 06 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.31.12-174.2.10
- CVE-2010-0410 kernel: OOM/crash in drivers/connector
More information about the scm-commits
mailing list