FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team
Reload this Page agp: fix arbitrary kernel memory writes

 
 
LinkBack Thread Tools
 
Old 05-26-2011, 03:50 PM
Andy Whitcroft
 
Default agp: fix arbitrary kernel memory writes
CVE-2011-2022

The agp_generic_remove_memory function in
drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 does
not validate a certain start parameter, which allows local users
to gain privileges or cause a denial of service (system crash)
via a crafted AGPIOC_UNBIND agp_ioctl ioctl call, a different
vulnerability than CVE-2011-1745.

This is already fixed and released in Oneiric, Natty, and Lucid arriving
via mainline and stable. Following this email is a patch applicable to
both Maverick and Hardy.

Proposing for Maverick and Hardy.

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 05-26-2011, 03:50 PM
Andy Whitcroft
 
Default agp: fix arbitrary kernel memory writes
From: Vasiliy Kulikov <segoon@openwall.com>

pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl
cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the
comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
and it is not checked at all in case of AGPIOC_UNBIND. As a result, user
with sufficient privileges (usually "video" group) may generate either
local DoS or privilege escalation.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

CVE-1011-2022
BugLink: http://bugs.launchpad.net/bugs/788684
(cherry picked from commit 194b3da873fd334ef183806db751473512af29ce)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
drivers/char/agp/generic.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
index d2abf51..7858016 100644
--- a/drivers/char/agp/generic.c
+++ b/drivers/char/agp/generic.c
@@ -1122,8 +1122,8 @@ int agp_generic_insert_memory(struct agp_memory * mem, off_t pg_start, int type)
return -EINVAL;
}

- /* AK: could wrap */
- if ((pg_start + mem->page_count) > num_entries)
+ if (((pg_start + mem->page_count) > num_entries) ||
+ ((pg_start + mem->page_count) < pg_start))
return -EINVAL;

j = pg_start;
@@ -1157,7 +1157,7 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
{
size_t i;
struct agp_bridge_data *bridge;
- int mask_type;
+ int mask_type, num_entries;

bridge = mem->bridge;
if (!bridge)
@@ -1169,6 +1169,11 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
if (type != mem->type)
return -EINVAL;

+ num_entries = agp_num_entries();
+ if (((pg_start + mem->page_count) > num_entries) ||
+ ((pg_start + mem->page_count) < pg_start))
+ return -EINVAL;
+
mask_type = bridge->driver->agp_type_to_mask_type(bridge, type);
if (mask_type != 0) {
/* The generic routines know nothing of memory types */
--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 05-26-2011, 04:04 PM
Tim Gardner
 
Default agp: fix arbitrary kernel memory writes
On 05/26/2011 09:50 AM, Andy Whitcroft wrote:

CVE-2011-2022

The agp_generic_remove_memory function in
drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 does
not validate a certain start parameter, which allows local users
to gain privileges or cause a denial of service (system crash)
via a crafted AGPIOC_UNBIND agp_ioctl ioctl call, a different
vulnerability than CVE-2011-1745.

This is already fixed and released in Oneiric, Natty, and Lucid arriving
via mainline and stable. Following this email is a patch applicable to
both Maverick and Hardy.

Proposing for Maverick and Hardy.

-apw



Acked-by: Tim Gardner <tim.gardner@canonical.com>

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 05-26-2011, 04:13 PM
Leann Ogasawara
 
Default agp: fix arbitrary kernel memory writes
On Thu, 2011-05-26 at 16:50 +0100, Andy Whitcroft wrote:
> From: Vasiliy Kulikov <segoon@openwall.com>
>
> pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl
> cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the
> comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
> and it is not checked at all in case of AGPIOC_UNBIND. As a result, user
> with sufficient privileges (usually "video" group) may generate either
> local DoS or privilege escalation.
>
> Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
> Signed-off-by: Dave Airlie <airlied@redhat.com>
>
> CVE-1011-2022
> BugLink: http://bugs.launchpad.net/bugs/788684
> (cherry picked from commit 194b3da873fd334ef183806db751473512af29ce)
> Signed-off-by: Andy Whitcroft <apw@canonical.com>

Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com>

> ---
> drivers/char/agp/generic.c | 11 ++++++++---
> 1 files changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
> index d2abf51..7858016 100644
> --- a/drivers/char/agp/generic.c
> +++ b/drivers/char/agp/generic.c
> @@ -1122,8 +1122,8 @@ int agp_generic_insert_memory(struct agp_memory * mem, off_t pg_start, int type)
> return -EINVAL;
> }
>
> - /* AK: could wrap */
> - if ((pg_start + mem->page_count) > num_entries)
> + if (((pg_start + mem->page_count) > num_entries) ||
> + ((pg_start + mem->page_count) < pg_start))
> return -EINVAL;
>
> j = pg_start;
> @@ -1157,7 +1157,7 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
> {
> size_t i;
> struct agp_bridge_data *bridge;
> - int mask_type;
> + int mask_type, num_entries;
>
> bridge = mem->bridge;
> if (!bridge)
> @@ -1169,6 +1169,11 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
> if (type != mem->type)
> return -EINVAL;
>
> + num_entries = agp_num_entries();
> + if (((pg_start + mem->page_count) > num_entries) ||
> + ((pg_start + mem->page_count) < pg_start))
> + return -EINVAL;
> +
> mask_type = bridge->driver->agp_type_to_mask_type(bridge, type);
> if (mask_type != 0) {
> /* The generic routines know nothing of memory types */
> --
> 1.7.4.1
>
>



--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 05-26-2011, 04:22 PM
Tim Gardner
 
Default agp: fix arbitrary kernel memory writes
On 05/26/2011 09:50 AM, Andy Whitcroft wrote:

CVE-2011-2022

The agp_generic_remove_memory function in
drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 does
not validate a certain start parameter, which allows local users
to gain privileges or cause a denial of service (system crash)
via a crafted AGPIOC_UNBIND agp_ioctl ioctl call, a different
vulnerability than CVE-2011-1745.

This is already fixed and released in Oneiric, Natty, and Lucid arriving
via mainline and stable. Following this email is a patch applicable to
both Maverick and Hardy.

Proposing for Maverick and Hardy.

-apw



applied to hardy/maverick

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 08:17 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org

Contact Us - Linux Archive - Archive - Top -