[Bug 791918] Re: CVE-2011-1746

Thu, 02 Jun 2011 09:36:23 -0700 

** Changed in: linux (Ubuntu Hardy)
       Status: New => In Progress

** Changed in: linux (Ubuntu Hardy)
     Assignee: (unassigned) => Andy Whitcroft (apw)

** Changed in: linux (Ubuntu Lucid)
       Status: New => Fix Released

** Changed in: linux (Ubuntu Maverick)
       Status: New => Fix Released

** Changed in: linux (Ubuntu Maverick)
     Assignee: (unassigned) => Andy Whitcroft (apw)

** Changed in: linux (Ubuntu Maverick)
       Status: Fix Released => In Progress

** Changed in: linux (Ubuntu Natty)
       Status: New => Fix Released

** Changed in: linux (Ubuntu Oneiric)
       Status: New => Invalid

** Description changed:

- Placeholder
+ Fixed By:
+ 
+   commit b522f02184b413955f3bc952e3776ce41edc6355
+   Author: Vasiliy Kulikov <seg...@openwall.com>
+   Date:   Thu Apr 14 20:55:19 2011 +0400
+ 
+     agp: fix OOM and buffer overflow
+     
+     page_count is copied from userspace.  agp_allocate_memory() tries to
+     check whether this number is too big, but doesn't take into account the
+     wrap case.  Also agp_create_user_memory() doesn't check whether
+     alloc_size is calculated from num_agp_pages variable without overflow.
+     This may lead to allocation of too small buffer with following buffer
+     overflow.
+     
+     Another problem in agp code is not addressed in the patch - kernel memory
+     exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls).  It is not checked
+     whether requested pid is a pid of the caller (no check in 
agpioc_reserve_wra
+     Each allocation is limited to 16KB, though, there is no per-process limit.
+     This might lead to OOM situation, which is not even solved in case of the
+     caller death by OOM killer - the memory is allocated for another (faked) 
pro
+     
+     Signed-off-by: Vasiliy Kulikov <seg...@openwall.com>
+     Signed-off-by: Dave Airlie <airl...@redhat.com>
+ 
+ This fix has hit Oneiric, Natty and Lucid via mainline/stable updates.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/791918

Title:
  CVE-2011-1746

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to