rpms/kernel/F-12 vgaarb-fix-incorrect-dereference-of-userspace-pointer.patch, NONE, 1.1.2.1 kernel.spec, 1.1960.2.19, 1.1960.2.20

Chuck Ebbert cebbert at fedoraproject.org
Sun Feb 14 00:12:30 UTC 2010 

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19625

Modified Files:
      Tag: private-fedora-12-2_6_31
	kernel.spec 
Added Files:
      Tag: private-fedora-12-2_6_31
	vgaarb-fix-incorrect-dereference-of-userspace-pointer.patch 
Log Message:
kernel: vgaarb: fix incorrect dereference of userspace pointer (#564246)
Always apply the patch git-linus.diff if it's not empty.

vgaarb-fix-incorrect-dereference-of-userspace-pointer.patch:
 vgaarb.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE vgaarb-fix-incorrect-dereference-of-userspace-pointer.patch ---
>From 77c1ff3982c6b36961725dd19e872a1c07df7f3b Mon Sep 17 00:00:00 2001
From: Andy Getzendanner <james.getzendanner at students.olin.edu>
Date: Thu, 11 Feb 2010 14:04:48 +1000
Subject: vgaarb: fix incorrect dereference of userspace pointer.

From: Andy Getzendanner <james.getzendanner at students.olin.edu>

commit 77c1ff3982c6b36961725dd19e872a1c07df7f3b upstream.

[ cebbert at redhat.com : trivial backport to Fedora 12 2.6.31 ]
[ patch not needed in upstream 2.6.31 ]

This patch corrects a userspace pointer dereference in the VGA arbiter
in 2.6.32.1.

copy_from_user() is used at line 822 to copy the contents of buf into
kbuf, but a call to strncmp() on line 964 uses buf rather than kbuf.  This
problem led to a GPF in strncmp() when X was started on my x86_32 systems.
 X triggered the behavior with a write of "target PCI:0000:01:00.0" to
/dev/vga_arbiter.

The patch has been tested against 2.6.32.1 and observed to correct the GPF
observed when starting X or manually writing the string "target
PCI:0000:01:00.0" to /dev/vga_arbiter.

Signed-off-by: Andy Getzendanner <james.getzendanner at students.olin.edu>
Cc: Jesse Barnes <jbarnes at virtuousgeek.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Dave Airlie <airlied at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

---
 drivers/gpu/vga/vgaarb.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/vga/vgaarb.c
+++ b/drivers/gpu/vga/vgaarb.c
@@ -961,7 +961,7 @@ static ssize_t vga_arb_write(struct file
 		remaining -= 7;
 		pr_devel("client 0x%X called 'target'\n", (int)priv);
 		/* if target is default */
-		if (!strncmp(buf, "default", 7))
+		if (!strncmp(kbuf, "default", 7))
 			pdev = pci_dev_get(vga_default_device());
 		else {
 			if (!vga_pci_str_to_vars(curr_pos, remaining,


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-12/kernel.spec,v
retrieving revision 1.1960.2.19
retrieving revision 1.1960.2.20
diff -u -p -r1.1960.2.19 -r1.1960.2.20
--- kernel.spec	10 Feb 2010 23:11:30 -0000	1.1960.2.19
+++ kernel.spec	14 Feb 2010 00:12:28 -0000	1.1960.2.20
@@ -729,9 +729,11 @@ Patch1839: drm-radeon-misc-fixes.patch
 Patch1900: linux-2.6-vga-arb.patch
 Patch1901: drm-vga-arb.patch
 Patch1902: drm-radeon-kms-arbiter-return-ignore.patch
+# RHBZ#564246
+Patch1903: vgaarb-fix-incorrect-dereference-of-userspace-pointer.patch
 
 # make harmless fbcon debug less loud
-Patch1903: fbcon-lower-debug.patch
+Patch1910: fbcon-lower-debug.patch
 
 # kludge to make ich9 e1000 work
 Patch2000: linux-2.6-e1000-ich9.patch
@@ -1229,7 +1231,7 @@ make -f %{SOURCE20} VERSION=%{version} c
   done
 %endif
 
-#ApplyOptionalPatch git-linus.diff
+ApplyOptionalPatch git-linus.diff
 
 # This patch adds a "make nonint_oldconfig" which is non-interactive and
 # also gives a list of missing options at the end. Useful for automated
@@ -1480,6 +1482,8 @@ ApplyPatch drm-intel-no-tv-hotplug.patch
 ApplyPatch linux-2.6-vga-arb.patch
 ApplyPatch drm-vga-arb.patch
 ApplyPatch drm-radeon-kms-arbiter-return-ignore.patch
+# RHBZ#564246
+ApplyPatch vgaarb-fix-incorrect-dereference-of-userspace-pointer.patch
 
 # Lower debug level of fbcon handover messages (rh#538526)
 ApplyPatch fbcon-lower-debug.patch
@@ -2216,7 +2220,21 @@ fi
 # plz don't put in a version string unless you're going to tag
 # and build.
 
+# Queued for 2.6.31.13:
+# More futex fixes (CVE-2010-0623)
+# Stuff we already have:
+#  tty-fix-race-in-tty_fasync.patch
+#  fnctl-f_modown-should-call-write_lock_irqsave-restore.patch
+#  fix-race-in-tty_fasync_properly.patch
+#  connector-delete-buggy-notification-code.patch
+#  fix-crash-with-sys_move_pages.patch
+#  futex-handle-user-space-corruption-gracefully.patch
+
 %changelog
+* Sat Feb 13 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.31.12-174.2.20
+- kernel: vgaarb: fix incorrect dereference of userspace pointer (#564246)
+- Always apply the patch git-linus.diff if it's not empty.
+
 * Wed Feb 10 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.31.12-174.2.19
 - fix-race-in-tty_fasync_properly.patch: fix problems caused by the fix
   for bug #559100
@@ -2236,7 +2254,7 @@ fi
 
 * Tue Feb 09 2010 Kyle McMartin <kyle at redhat.com> 2.6.31.12-174.2.15
 - futex-handle-user-space-corruption-gracefully.patch: Fix oops in
-  the PI futex code. (rhbz#563091)
+  the PI futex code. (rhbz#563091) (CVE-2010-0622)
 
 * Sun Feb 07 2010 Kyle McMartin <kyle at redhat.com>
 - ext4-fix-dq_claim_space.patch: try to fix the quota WARN_ON that's currently
@@ -2252,7 +2270,7 @@ fi
 
 * Sat Feb 06 2010 Kyle McMartin <kyle at redhat.com> 2.6.31.12-174.2.11
 - fix-crash-with-sys_move_pages.patch: sys_move_pages doesn't bounds
-  check the node properly.
+  check the node properly. (CVE-2010-0415)
 
 * Sat Feb 06 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.31.12-174.2.10
 - CVE-2010-0410 kernel: OOM/crash in drivers/connector

More information about the scm-commits mailing list