** Changed in: linux (Ubuntu Hardy) Status: New => In Progress ** Changed in: linux (Ubuntu Hardy) Assignee: (unassigned) => Andy Whitcroft (apw)
** Changed in: linux (Ubuntu Lucid) Status: New => Fix Released ** Changed in: linux (Ubuntu Maverick) Status: New => Fix Released ** Changed in: linux (Ubuntu Maverick) Assignee: (unassigned) => Andy Whitcroft (apw) ** Changed in: linux (Ubuntu Maverick) Status: Fix Released => In Progress ** Changed in: linux (Ubuntu Natty) Status: New => Fix Released ** Changed in: linux (Ubuntu Oneiric) Status: New => Invalid ** Description changed: - Placeholder + Fixed By: + + commit b522f02184b413955f3bc952e3776ce41edc6355 + Author: Vasiliy Kulikov <seg...@openwall.com> + Date: Thu Apr 14 20:55:19 2011 +0400 + + agp: fix OOM and buffer overflow + + page_count is copied from userspace. agp_allocate_memory() tries to + check whether this number is too big, but doesn't take into account the + wrap case. Also agp_create_user_memory() doesn't check whether + alloc_size is calculated from num_agp_pages variable without overflow. + This may lead to allocation of too small buffer with following buffer + overflow. + + Another problem in agp code is not addressed in the patch - kernel memory + exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked + whether requested pid is a pid of the caller (no check in agpioc_reserve_wra + Each allocation is limited to 16KB, though, there is no per-process limit. + This might lead to OOM situation, which is not even solved in case of the + caller death by OOM killer - the memory is allocated for another (faked) pro + + Signed-off-by: Vasiliy Kulikov <seg...@openwall.com> + Signed-off-by: Dave Airlie <airl...@redhat.com> + + This fix has hit Oneiric, Natty and Lucid via mainline/stable updates. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/791918 Title: CVE-2011-1746 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs