From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Tue, 24 Aug 2010 18:16:11 +0000 (-0700)
Subject: .27 patches
X-Git-Tag: v2.6.32.21~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9dfaffc5d46d56412e29c91deacf6df789da9283;p=thirdparty%2Fkernel%2Fstable-queue.git

.27 patches
---

diff --git a/queue-2.6.27/drm-stop-information-leak-of-old-kernel-stack.patch b/queue-2.6.27/drm-stop-information-leak-of-old-kernel-stack.patch
new file mode 100644
index 00000000000..e5f713a8b72
--- /dev/null
+++ b/queue-2.6.27/drm-stop-information-leak-of-old-kernel-stack.patch
@@ -0,0 +1,40 @@
+From b9f0aee83335db1f3915f4e42a5e21b351740afd Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Tue, 17 Aug 2010 14:46:00 +1000
+Subject: drm: stop information leak of old kernel stack.
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit b9f0aee83335db1f3915f4e42a5e21b351740afd upstream.
+
+non-critical issue, CVE-2010-2803
+
+Userspace controls the amount of memory to be allocate, so it can
+get the ioctl to allocate more memory than the kernel uses, and get
+access to kernel stack. This can only be done for processes authenticated
+to the X server for DRI access, and if the user has DRI access.
+
+Fix is to just memset the data to 0 if the user doesn't copy into
+it in the first place.
+
+Reported-by: Kees Cook <kees@ubuntu.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/drm_drv.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_drv.c
++++ b/drivers/gpu/drm/drm_drv.c
+@@ -504,7 +504,9 @@ int drm_ioctl(struct inode *inode, struc
+ 				retcode = -EFAULT;
+ 				goto err_i1;
+ 			}
+-		}
++		} else
++			memset(kdata, 0, _IOC_SIZE(cmd));
++
+ 		retcode = func(dev, kdata, file_priv);
+ 
+ 		if ((retcode == 0) && (cmd & IOC_OUT)) {
diff --git a/queue-2.6.27/series b/queue-2.6.27/series
index 2af48da3961..2f7733a4886 100644
--- a/queue-2.6.27/series
+++ b/queue-2.6.27/series
@@ -3,3 +3,4 @@ kbuild-fix-make-incompatibility.patch
 selinux-use-default-proc-sid-on-symlinks.patch
 can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch
 fixes-for-using-make-3.82.patch
+drm-stop-information-leak-of-old-kernel-stack.patch