x11-drivers/ati-userspace/files/ati-drivers-CVE-2010-3081-fix.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

/****************************************************************************
 *                                                                          *
 * Copyright 1999-2005 ATI Technologies Inc., Markham, Ontario, CANADA.     *
 * All Rights Reserved.                                                     *
 *                                                                          *
 * Your use and or redistribution of this software in source and \ or       *
 * binary form, with or without modification, is subject to: (i) your       *
 * ongoing acceptance of and compliance with the terms and conditions of    *
 * the ATI Technologies Inc. software End User License Agreement; and (ii)  *
 * your inclusion of this notice in any version of this software that you   *
 * use or redistribute.  A copy of the ATI Technologies Inc. software End   *
 * User License Agreement is included with this software and is also        *
 * available by contacting ATI Technologies Inc. at http://www.ati.com      *
 *                                                                          *
 ****************************************************************************/

--- common/lib/modules/fglrx/build_mod/kcl_ioctl.c.orig	2010-09-01 16:05:31.000000000 +0200
+++ common/lib/modules/fglrx/build_mod/kcl_ioctl.c	2010-09-23 01:41:46.711844303 +0200
@@ -35,6 +35,9 @@
 
 #ifdef __x86_64__
 #   include "asm/compat.h"
+#   if ARCH_COMPAT_ALLOC_USER_SPACE
+#      include "linux/compat.h"
+#   endif
 #   if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,22)
 #       if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
 #           include "linux/ioctl32.h"
@@ -193,7 +196,20 @@
  */
 void* ATI_API_CALL KCL_IOCTL_AllocUserSpace32(long size)
 {
-    return compat_alloc_user_space(size);
+    void __user *ptr;
+
+    /* If size would occupy more than half of the entire compat space... */
+    if (unlikely(size > (((compat_uptr_t)~0) >> 1)))
+        return NULL;
+#if ARCH_COMPAT_ALLOC_USER_SPACE
+    ptr = arch_compat_alloc_user_space(size);
+#else
+    ptr = compat_alloc_user_space(size);
+#endif
+    if (unlikely(!access_ok(VERIFY_WRITE, ptr, size)))
+        return NULL;
+
+    return ptr;
 }
 
 #endif // __x86_64__
--- common/lib/modules/fglrx/build_mod/2.6.x/Makefile.orig	2010-09-01 16:05:31.000000000 +0200
+++ common/lib/modules/fglrx/build_mod/2.6.x/Makefile	2010-09-23 01:47:46.533415019 +0200
@@ -66,6 +66,7 @@
                 -DFGL_GART_RESERVED_SLOT \
                 -DFGL_LINUX253P1_VMA_API \
                 -DPAGE_ATTR_FIX=$(PAGE_ATTR_FIX) \
+                -DARCH_COMPAT_ALLOC_USER_SPACE=$(ARCH_COMPAT_ALLOC_USER_SPACE) \
 
 ifeq ($(KERNELRELEASE),)
 # on first call from remote location we get into this path