Fedora kernel-2.6.17-1.2142_FC4 patched with stable patch-2.6.17.4-vs2.0.2-rc26.diff

[linux-2.6.git] / arch / parisc / hpux / sys_hpux.c
diff --git a/arch/parisc/hpux/sys_hpux.c b/arch/parisc/hpux/sys_hpux.c

index a64fd48..2ef63ba 100644 (file)
--- a/arch/parisc/hpux/sys_hpux.c
+++ b/arch/parisc/hpux/sys_hpux.c
@@ -22,6 +22,7 @@
   *    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   */
  
+#include <linux/capability.h>
  #include <linux/file.h>
  #include <linux/fs.h>
  #include <linux/namei.h>
@@ -32,6 +33,7 @@
  #include <linux/utsname.h>
  #include <linux/vfs.h>
  #include <linux/vmalloc.h>
+#include <linux/vs_cvirt.h>
  
  #include <asm/errno.h>
  #include <asm/pgalloc.h>
@@ -265,15 +267,15 @@ static int hpux_uname(struct hpux_utsname *name)
  
         down_read(&uts_sem);
  
-       error = __copy_to_user(&name->sysname,&system_utsname.sysname,HPUX_UTSLEN-1);
+       error = __copy_to_user(&name->sysname,vx_new_uts(sysname),HPUX_UTSLEN-1);
         error |= __put_user(0,name->sysname+HPUX_UTSLEN-1);
-       error |= __copy_to_user(&name->nodename,&system_utsname.nodename,HPUX_UTSLEN-1);
+       error |= __copy_to_user(&name->nodename,vx_new_uts(nodename),HPUX_UTSLEN-1);
         error |= __put_user(0,name->nodename+HPUX_UTSLEN-1);
-       error |= __copy_to_user(&name->release,&system_utsname.release,HPUX_UTSLEN-1);
+       error |= __copy_to_user(&name->release,vx_new_uts(release),HPUX_UTSLEN-1);
         error |= __put_user(0,name->release+HPUX_UTSLEN-1);
-       error |= __copy_to_user(&name->version,&system_utsname.version,HPUX_UTSLEN-1);
+       error |= __copy_to_user(&name->version,vx_new_uts(version),HPUX_UTSLEN-1);
         error |= __put_user(0,name->version+HPUX_UTSLEN-1);
-       error |= __copy_to_user(&name->machine,&system_utsname.machine,HPUX_UTSLEN-1);
+       error |= __copy_to_user(&name->machine,vx_new_uts(machine),HPUX_UTSLEN-1);
         error |= __put_user(0,name->machine+HPUX_UTSLEN-1);
  
         up_read(&uts_sem);
@@ -372,8 +374,8 @@ int hpux_utssys(char *ubuf, int n, int type)
                 /*  TODO:  print a warning about using this?  */
                 down_write(&uts_sem);
                 error = -EFAULT;
-               if (!copy_from_user(system_utsname.sysname, ubuf, len)) {
-                       system_utsname.sysname[len] = 0;
+               if (!copy_from_user(vx_new_uts(sysname), ubuf, len)) {
+                       vx_new_uts(sysname)[len] = 0;
                         error = 0;
                 }
                 up_write(&uts_sem);
@@ -399,8 +401,8 @@ int hpux_utssys(char *ubuf, int n, int type)
                 /*  TODO:  print a warning about this?  */
                 down_write(&uts_sem);
                 error = -EFAULT;
-               if (!copy_from_user(system_utsname.release, ubuf, len)) {
-                       system_utsname.release[len] = 0;
+               if (!copy_from_user(vx_new_uts(release), ubuf, len)) {
+                       vx_new_uts(release)[len] = 0;
                         error = 0;
                 }
                 up_write(&uts_sem);
@@ -421,13 +423,13 @@ int hpux_getdomainname(char *name, int len)
         
         down_read(&uts_sem);
         
-       nlen = strlen(system_utsname.domainname) + 1;
+       nlen = strlen(vx_new_uts(domainname)) + 1;
  
         if (nlen < len)
                 len = nlen;
         if(len > __NEW_UTS_LEN)
                 goto done;
-       if(copy_to_user(name, system_utsname.domainname, len))
+       if(copy_to_user(name, vx_new_uts(domainname), len))
                 goto done;
         err = 0;
  done:
@@ -467,19 +469,23 @@ int hpux_sysfs(int opcode, unsigned long arg1, unsigned long arg2)
         if ( opcode == 1 ) { /* GETFSIND */     
                 len = strlen_user((char *)arg1);
                 printk(KERN_DEBUG "len of arg1 = %d\n", len);
-
-               fsname = (char *) kmalloc(len+1, GFP_KERNEL);
+               if (len == 0)
+                       return 0;
+               fsname = (char *) kmalloc(len, GFP_KERNEL);
                 if ( !fsname ) {
                         printk(KERN_DEBUG "failed to kmalloc fsname\n");
                         return 0;
                 }
  
-               if ( copy_from_user(fsname, (char *)arg1, len+1) ) {
+               if ( copy_from_user(fsname, (char *)arg1, len) ) {
                         printk(KERN_DEBUG "failed to copy_from_user fsname\n");
                         kfree(fsname);
                         return 0;
                 }
  
+               /* String could be altered by userspace after strlen_user() */
+               fsname[len] = '\0';
+
                 printk(KERN_DEBUG "that is '%s' as (char *)\n", fsname);
                 if ( !strcmp(fsname, "hfs") ) {
                         fstype = 0;