From dcba3e47aedabe2afa6c854c16964541dddf8bc3 Mon Sep 17 00:00:00 2001
From: Kyle McMartin <kyle@mcmartin.ca>
Date: Nov 23 2010 17:14:16 +0000
Subject: clear memory in viafb ioctl (CVE-2010-4082)


---

diff --git a/kernel.spec b/kernel.spec
index 3068a1c..0365cf4 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -851,6 +851,8 @@ Patch13702: inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch
 
 Patch13703: posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
 
+Patch13704: via-ioctl-prevent-reading-uninit-memory.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1619,6 +1621,9 @@ ApplyPatch inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch
 # rhbz#656264
 ApplyPatch posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
 
+# rhbz#648671 (CVE-2010-4082)
+ApplyPatch via-ioctl-prevent-reading-uninit-memory.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2246,6 +2251,7 @@ fi
 - fix logic error in INET_DIAG bytecode auditing (CVE-2010-3880) (#651264)
 - posix-cpu-timers: workaround to suppress the problems with mt exec
   (rhbz#656264)
+- clear memory in viafb ioctl (CVE-2010-4082) (#648671)
 
 * Fri Oct 22 2010 Kyle McMartin <kyle@redhat.cmo> 2.6.34.7-62
 - tpm-autodetect-itpm-devices.patch: Auto-fix TPM issues on various
diff --git a/via-ioctl-prevent-reading-uninit-memory.patch b/via-ioctl-prevent-reading-uninit-memory.patch
new file mode 100644
index 0000000..a5d984c
--- /dev/null
+++ b/via-ioctl-prevent-reading-uninit-memory.patch
@@ -0,0 +1,33 @@
+From aaa3e9152f27f6cd83c074d7dc99e79897ac8c20 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Wed, 15 Sep 2010 19:08:24 -0400
+Subject: [PATCH] drivers/video/via/ioctl.c: prevent reading uninitialized stack memory
+
+The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
+bytes of uninitialized stack memory, because the "reserved" member of
+the viafb_ioctl_info struct declared on the stack is not altered or
+zeroed before being copied back to the user.  This patch takes care of
+it.
+
+Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+---
+ drivers/video/via/ioctl.c |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/video/via/ioctl.c b/drivers/video/via/ioctl.c
+index da03c07..4d553d0 100644
+--- a/drivers/video/via/ioctl.c
++++ b/drivers/video/via/ioctl.c
+@@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long arg)
+ {
+ 	struct viafb_ioctl_info viainfo;
+ 
++	memset(&viainfo, 0, sizeof(struct viafb_ioctl_info));
++
+ 	viainfo.viafb_id = VIAID;
+ 	viainfo.vendor_id = PCI_VIA_VENDOR_ID;
+ 
+-- 
+1.7.3.2
+