From: "Randy.Dunlap" <rddunlap@osdl.org>

mtrr: prevent copy_from_user(to, from, -1) or (if that should
  succeed somehow) write to line[-1] (on stack);

Signed-off-by: Randy Dunlap <rddunlap@osdl.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 25-akpm/arch/i386/kernel/cpu/mtrr/if.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff -puN arch/i386/kernel/cpu/mtrr/if.c~mtrr-uaccess-range-checking-fix arch/i386/kernel/cpu/mtrr/if.c
--- 25/arch/i386/kernel/cpu/mtrr/if.c~mtrr-uaccess-range-checking-fix	2005-03-16 17:36:36.000000000 -0800
+++ 25-akpm/arch/i386/kernel/cpu/mtrr/if.c	2005-03-16 17:36:36.000000000 -0800
@@ -98,16 +98,20 @@ mtrr_write(struct file *file, const char
 	unsigned long long base, size;
 	char *ptr;
 	char line[LINE_SIZE];
+	size_t linelen;
 
 	if (!capable(CAP_SYS_ADMIN))
 		return -EPERM;
+	if (!len)
+		return -EINVAL;
 	memset(line, 0, LINE_SIZE);
 	if (len > LINE_SIZE)
 		len = LINE_SIZE;
 	if (copy_from_user(line, buf, len - 1))
 		return -EFAULT;
-	ptr = line + strlen(line) - 1;
-	if (*ptr == '\n')
+	linelen = strlen(line);
+	ptr = line + linelen - 1;
+	if (linelen && *ptr == '\n')
 		*ptr = '\0';
 	if (!strncmp(line, "disable=", 8)) {
 		reg = simple_strtoul(line + 8, &ptr, 0);
_