From: Andy Getzendanner Date: Thu, 11 Feb 2010 04:04:48 +0000 (+1000) Subject: vgaarb: fix incorrect dereference of userspace pointer. X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=77c1ff3982c6b36961725dd19e872a1c07df7f3b;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git vgaarb: fix incorrect dereference of userspace pointer. This patch corrects a userspace pointer dereference in the VGA arbiter in 2.6.32.1. copy_from_user() is used at line 822 to copy the contents of buf into kbuf, but a call to strncmp() on line 964 uses buf rather than kbuf. This problem led to a GPF in strncmp() when X was started on my x86_32 systems. X triggered the behavior with a write of "target PCI:0000:01:00.0" to /dev/vga_arbiter. The patch has been tested against 2.6.32.1 and observed to correct the GPF observed when starting X or manually writing the string "target PCI:0000:01:00.0" to /dev/vga_arbiter. Signed-off-by: Andy Getzendanner Cc: Jesse Barnes Cc: Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie --- diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c index 1ac0c93603c9..24b56dc54597 100644 --- a/drivers/gpu/vga/vgaarb.c +++ b/drivers/gpu/vga/vgaarb.c @@ -961,7 +961,7 @@ static ssize_t vga_arb_write(struct file *file, const char __user * buf, remaining -= 7; pr_devel("client 0x%p called 'target'\n", priv); /* if target is default */ - if (!strncmp(buf, "default", 7)) + if (!strncmp(kbuf, "default", 7)) pdev = pci_dev_get(vga_default_device()); else { if (!vga_pci_str_to_vars(curr_pos, remaining,