vgaarb: fix incorrect dereference of userspace pointer.

not in 2.6.32.9 but was sent to stable and most probably in .10

svn path=/dists/sid/linux-2.6/; revision=15231

3 files changed, 46 insertions, 1 deletions

diff --git a/debian/changelog b/debian/changelog
index 65cc88977735..77c1d44dcba3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -23,7 +23,8 @@ linux-2.6 (2.6.32-9) UNRELEASED; urgency=low
     - futex_lock_pi() key refcnt fix. (CVE-2010-0623)
     - Staging: fix rtl8187se compilation errors with mac80211.
       (closes: #566726)
-  *  r8169 patch for rx length check errors. (CVE-2009-4537)
+  * r8169 patch for rx length check errors. (CVE-2009-4537)
+  * vgaarb: fix incorrect dereference of userspace pointer.
 
   [ Bastian Blank ]
   * Restrict access to sensitive SysRq keys by default.
diff --git a/debian/patches/bugfix/all/vgaarb-fix-incorrect-dereference-of-userspace-pointe.patch b/debian/patches/bugfix/all/vgaarb-fix-incorrect-dereference-of-userspace-pointe.patch
new file mode 100644
index 000000000000..bfba789839ac
--- /dev/null
+++ b/debian/patches/bugfix/all/vgaarb-fix-incorrect-dereference-of-userspace-pointe.patch
@@ -0,0 +1,43 @@
+From 77c1ff3982c6b36961725dd19e872a1c07df7f3b Mon Sep 17 00:00:00 2001
+From: Andy Getzendanner <james.getzendanner@students.olin.edu>
+Date: Thu, 11 Feb 2010 14:04:48 +1000
+Subject: [PATCH] vgaarb: fix incorrect dereference of userspace pointer.
+
+This patch corrects a userspace pointer dereference in the VGA arbiter
+in 2.6.32.1.
+
+copy_from_user() is used at line 822 to copy the contents of buf into
+kbuf, but a call to strncmp() on line 964 uses buf rather than kbuf.  This
+problem led to a GPF in strncmp() when X was started on my x86_32 systems.
+ X triggered the behavior with a write of "target PCI:0000:01:00.0" to
+/dev/vga_arbiter.
+
+The patch has been tested against 2.6.32.1 and observed to correct the GPF
+observed when starting X or manually writing the string "target
+PCI:0000:01:00.0" to /dev/vga_arbiter.
+
+Signed-off-by: Andy Getzendanner <james.getzendanner@students.olin.edu>
+Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+---
+ drivers/gpu/vga/vgaarb.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c
+index 1ac0c93..24b56dc 100644
+--- a/drivers/gpu/vga/vgaarb.c
++++ b/drivers/gpu/vga/vgaarb.c
+@@ -961,7 +961,7 @@ static ssize_t vga_arb_write(struct file *file, const char __user * buf,
+ 		remaining -= 7;
+ 		pr_devel("client 0x%p called 'target'\n", priv);
+ 		/* if target is default */
+-		if (!strncmp(buf, "default", 7))
++		if (!strncmp(kbuf, "default", 7))
+ 			pdev = pci_dev_get(vga_default_device());
+ 		else {
+ 			if (!vga_pci_str_to_vars(curr_pos, remaining,
+-- 
+1.6.6.1
+
diff --git a/debian/patches/series/9 b/debian/patches/series/9
index b0df46a70db0..7b86cd9fe0f6 100644
--- a/debian/patches/series/9
+++ b/debian/patches/series/9
@@ -13,3 +13,4 @@
 - bugfix/x86/kvm-pit-control-word-is-write-only.patch
 + bugfix/all/stable/2.6.32.9-rc1.patch
 + bugfix/all/net-r8169-improved-rx-length-check-errors.patch
++ bugfix/all/vgaarb-fix-incorrect-dereference-of-userspace-pointe.patch