lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <DA80C3E6C10BE94E8FCACEB239C2FEE46645317E76@EXVS01.olin.edu>
Date:	Fri, 18 Dec 2009 02:29:51 -0500
From:	James Getzendanner <James.Getzendanner@...dents.olin.edu>
To:	"torvalds@...ux-foundation.org" <torvalds@...ux-foundation.org>
CC:	"trivial@...nel.org" <trivial@...nel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: [PATCH] Userspace pointer dereference in drivers/gpu/vga/vgaarb.c

From: Andy Getzendanner <james.getzendanner@...dents.olin.edu>

This patch corrects a userspace pointer dereference in the VGA arbiter
in 2.6.32.1.
Signed-off-by: Andy Getzendanner <james.getzendanner@...dents.olin.edu>
---
copy_from_user() is used at line 822 to copy the contents of buf into
kbuf, but a call to strncmp() on line 964 uses buf rather than kbuf.
This problem led to a GPF in strncmp() when X was started on my x86_32
systems.  X triggered the behavior with a write of
"target PCI:0000:01:00.0" to /dev/vga_arbiter.
The patch has been tested against 2.6.32.1 and observed to correct the
GPF observed when starting X or manually writing the string
"target PCI:0000:01:00.0" to /dev/vga_arbiter.
Please CC me at james.getzendanner@...dents.olin.edu in any replies as I
am not on the list.
--- linux-2.6.32.1/drivers/gpu/vga/vgaarb.c.orig	2009-12-18 00:26:31.000000000 -0500
+++ linux-2.6.32.1/drivers/gpu/vga/vgaarb.c	2009-12-18 00:27:14.000000000 -0500
@@ -961,7 +961,7 @@ static ssize_t vga_arb_write(struct file
 		remaining -= 7;
 		pr_devel("client 0x%p called 'target'\n", priv);
 		/* if target is default */
-		if (!strncmp(buf, "default", 7))
+		if (!strncmp(kbuf, "default", 7))
 			pdev = pci_dev_get(vga_default_device());
 		else {
 			if (!vga_pci_str_to_vars(curr_pos, remaining,
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ