diff options
author | Andy Getzendanner <james.getzendanner@students.olin.edu> | 2010-02-10 23:04:48 -0500 |
---|---|---|
committer | Dave Airlie <airlied@redhat.com> | 2010-02-10 23:04:48 -0500 |
commit | 77c1ff3982c6b36961725dd19e872a1c07df7f3b (patch) | |
tree | 679ddde451763655c6594ae18afa58fcfc7339b1 | |
parent | 0a4583eb98af3fad7a8ab7d4915bd3ae179618c3 (diff) |
vgaarb: fix incorrect dereference of userspace pointer.
This patch corrects a userspace pointer dereference in the VGA arbiter
in 2.6.32.1.
copy_from_user() is used at line 822 to copy the contents of buf into
kbuf, but a call to strncmp() on line 964 uses buf rather than kbuf. This
problem led to a GPF in strncmp() when X was started on my x86_32 systems.
X triggered the behavior with a write of "target PCI:0000:01:00.0" to
/dev/vga_arbiter.
The patch has been tested against 2.6.32.1 and observed to correct the GPF
observed when starting X or manually writing the string "target
PCI:0000:01:00.0" to /dev/vga_arbiter.
Signed-off-by: Andy Getzendanner <james.getzendanner@students.olin.edu>
Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
-rw-r--r-- | drivers/gpu/vga/vgaarb.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c index 1ac0c93603c9..24b56dc54597 100644 --- a/drivers/gpu/vga/vgaarb.c +++ b/drivers/gpu/vga/vgaarb.c | |||
@@ -961,7 +961,7 @@ static ssize_t vga_arb_write(struct file *file, const char __user * buf, | |||
961 | remaining -= 7; | 961 | remaining -= 7; |
962 | pr_devel("client 0x%p called 'target'\n", priv); | 962 | pr_devel("client 0x%p called 'target'\n", priv); |
963 | /* if target is default */ | 963 | /* if target is default */ |
964 | if (!strncmp(buf, "default", 7)) | 964 | if (!strncmp(kbuf, "default", 7)) |
965 | pdev = pci_dev_get(vga_default_device()); | 965 | pdev = pci_dev_get(vga_default_device()); |
966 | else { | 966 | else { |
967 | if (!vga_pci_str_to_vars(curr_pos, remaining, | 967 | if (!vga_pci_str_to_vars(curr_pos, remaining, |