summaryrefslogtreecommitdiff
path: root/drivers/gpu/vga
diff options
context:
space:
mode:
authorAndy Getzendanner <james.getzendanner@students.olin.edu>2010-02-11 14:04:48 +1000
committerDave Airlie <airlied@redhat.com>2010-02-11 14:04:48 +1000
commit77c1ff3982c6b36961725dd19e872a1c07df7f3b (patch)
tree679ddde451763655c6594ae18afa58fcfc7339b1 /drivers/gpu/vga
parent0a4583eb98af3fad7a8ab7d4915bd3ae179618c3 (diff)
downloadlwn-77c1ff3982c6b36961725dd19e872a1c07df7f3b.tar.gz
lwn-77c1ff3982c6b36961725dd19e872a1c07df7f3b.zip
vgaarb: fix incorrect dereference of userspace pointer.
This patch corrects a userspace pointer dereference in the VGA arbiter in 2.6.32.1. copy_from_user() is used at line 822 to copy the contents of buf into kbuf, but a call to strncmp() on line 964 uses buf rather than kbuf. This problem led to a GPF in strncmp() when X was started on my x86_32 systems. X triggered the behavior with a write of "target PCI:0000:01:00.0" to /dev/vga_arbiter. The patch has been tested against 2.6.32.1 and observed to correct the GPF observed when starting X or manually writing the string "target PCI:0000:01:00.0" to /dev/vga_arbiter. Signed-off-by: Andy Getzendanner <james.getzendanner@students.olin.edu> Cc: Jesse Barnes <jbarnes@virtuousgeek.org> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
Diffstat (limited to 'drivers/gpu/vga')
-rw-r--r--drivers/gpu/vga/vgaarb.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c
index 1ac0c93603c9..24b56dc54597 100644
--- a/drivers/gpu/vga/vgaarb.c
+++ b/drivers/gpu/vga/vgaarb.c
@@ -961,7 +961,7 @@ static ssize_t vga_arb_write(struct file *file, const char __user * buf,
remaining -= 7;
pr_devel("client 0x%p called 'target'\n", priv);
/* if target is default */
- if (!strncmp(buf, "default", 7))
+ if (!strncmp(kbuf, "default", 7))
pdev = pci_dev_get(vga_default_device());
else {
if (!vga_pci_str_to_vars(curr_pos, remaining,