1 files changed, 60 insertions, 0 deletions
diff --git a/x11-drivers/ati-userspace/files/ati-drivers-CVE-2010-3081-fix.patch b/x11-drivers/ati-userspace/files/ati-drivers-CVE-2010-3081-fix.patch
new file mode 100644
index 00000000..5a71da10
--- /dev/null
+++ b/x11-drivers/ati-userspace/files/ati-drivers-CVE-2010-3081-fix.patch
@@ -0,0 +1,60 @@
+/****************************************************************************
+ *                                                                          *
+ * Copyright 1999-2005 ATI Technologies Inc., Markham, Ontario, CANADA.     *
+ * All Rights Reserved.                                                     *
+ *                                                                          *
+ * Your use and or redistribution of this software in source and \ or       *
+ * binary form, with or without modification, is subject to: (i) your       *
+ * ongoing acceptance of and compliance with the terms and conditions of    *
+ * the ATI Technologies Inc. software End User License Agreement; and (ii)  *
+ * your inclusion of this notice in any version of this software that you   *
+ * use or redistribute.  A copy of the ATI Technologies Inc. software End   *
+ * User License Agreement is included with this software and is also        *
+ * available by contacting ATI Technologies Inc. at http://www.ati.com      *
+ *                                                                          *
+ ****************************************************************************/
+
+--- common/lib/modules/fglrx/build_mod/kcl_ioctl.c.orig	2010-09-01 16:05:31.000000000 +0200
++++ common/lib/modules/fglrx/build_mod/kcl_ioctl.c	2010-09-23 01:41:46.711844303 +0200
+@@ -35,6 +35,9 @@
+ 
+ #ifdef __x86_64__
+ #   include "asm/compat.h"
++#   if ARCH_COMPAT_ALLOC_USER_SPACE
++#      include "linux/compat.h"
++#   endif
+ #   if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,22)
+ #       if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
+ #           include "linux/ioctl32.h"
+@@ -193,7 +196,20 @@
+  */
+ void* ATI_API_CALL KCL_IOCTL_AllocUserSpace32(long size)
+ {
+-    return compat_alloc_user_space(size);
++    void __user *ptr;
++
++    /* If size would occupy more than half of the entire compat space... */
++    if (unlikely(size > (((compat_uptr_t)~0) >> 1)))
++        return NULL;
++#if ARCH_COMPAT_ALLOC_USER_SPACE
++    ptr = arch_compat_alloc_user_space(size);
++#else
++    ptr = compat_alloc_user_space(size);
++#endif
++    if (unlikely(!access_ok(VERIFY_WRITE, ptr, size)))
++        return NULL;
++
++    return ptr;
+ }
+ 
+ #endif // __x86_64__
+--- common/lib/modules/fglrx/build_mod/2.6.x/Makefile.orig	2010-09-01 16:05:31.000000000 +0200
++++ common/lib/modules/fglrx/build_mod/2.6.x/Makefile	2010-09-23 01:47:46.533415019 +0200
+@@ -66,6 +66,7 @@
+                 -DFGL_GART_RESERVED_SLOT \
+                 -DFGL_LINUX253P1_VMA_API \
+                 -DPAGE_ATTR_FIX=$(PAGE_ATTR_FIX) \
++                -DARCH_COMPAT_ALLOC_USER_SPACE=$(ARCH_COMPAT_ALLOC_USER_SPACE) \
+ 
+ ifeq ($(KERNELRELEASE),)
+ # on first call from remote location we get into this path