CVE-2011-1747
The agp subsystem in the Linux kernel 2.6.38.5 and earlier does not
properly restrict memory allocation by the (1) AGPIOC_RESERVE and
(2) AGPIOC_ALLOCATE ioctls, which allows local users to cause a
denial of service (memory consumption) by making many calls to
these ioctls.

The fix for this issue is already applied for Oneiric, Natty, and Lucid
arriving via mainline/stable updates. Following this email is a patch
which applies to both Maverick and Hardy correcting the flaw.

Proposing for Hardy and Maverick.

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

From: Vasiliy Kulikov <segoon@openwall.com>

page_count is copied from userspace. agp_allocate_memory() tries to
check whether this number is too big, but doesn't take into account the
wrap case. Also agp_create_user_memory() doesn't check whether
alloc_size is calculated from num_agp_pages variable without overflow.
This may lead to allocation of too small buffer with following buffer
overflow.

Another problem in agp code is not addressed in the patch - kernel memory
exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked
whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()).
Each allocation is limited to 16KB, though, there is no per-process limit.
This might lead to OOM situation, which is not even solved in case of the
caller death by OOM killer - the memory is allocated for another (faked) process.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

CVE-2011-1747
BugLink: http://bugs.launchpad.net/bugs/788700
(cherry picked from commit b522f02184b413955f3bc952e3776ce41edc6355)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
drivers/char/agp/generic.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
index d2abf51..3d852bf 100644
--- a/drivers/char/agp/generic.c
+++ b/drivers/char/agp/generic.c
@@ -122,6 +122,9 @@ static struct agp_memory *agp_create_user_memory(unsigned long num_agp_pages)
struct agp_memory *new;
unsigned long alloc_size = num_agp_pages*sizeof(struct page *);

+ if (INT_MAX/sizeof(struct page *) < num_agp_pages)
+ return NULL;
+
new = kzalloc(sizeof(struct agp_memory), GFP_KERNEL);
if (new == NULL)
return NULL;
@@ -241,11 +244,14 @@ struct agp_memory *agp_allocate_memory(struct agp_bridge_data *bridge,
int scratch_pages;
struct agp_memory *new;
size_t i;
+ int cur_memory;

if (!bridge)
return NULL;

- if ((atomic_read(&bridge->current_memory_agp) + page_count) > bridge->max_memory_agp)
+ cur_memory = atomic_read(&bridge->current_memory_agp);
+ if ((cur_memory + page_count > bridge->max_memory_agp) ||
+ (cur_memory + page_count < page_count))
return NULL;

if (type >= AGP_USER_TYPES) {
--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

On 05/26/2011 10:22 AM, Andy Whitcroft wrote:

From: Vasiliy Kulikov<segoon@openwall.com>

page_count is copied from userspace. agp_allocate_memory() tries to
check whether this number is too big, but doesn't take into account the
wrap case. Also agp_create_user_memory() doesn't check whether
alloc_size is calculated from num_agp_pages variable without overflow.
This may lead to allocation of too small buffer with following buffer
overflow.

Another problem in agp code is not addressed in the patch - kernel memory
exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked
whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()).
Each allocation is limited to 16KB, though, there is no per-process limit.
This might lead to OOM situation, which is not even solved in case of the
caller death by OOM killer - the memory is allocated for another (faked) process.

Signed-off-by: Vasiliy Kulikov<segoon@openwall.com>
Signed-off-by: Dave Airlie<airlied@redhat.com>

CVE-2011-1747
BugLink: http://bugs.launchpad.net/bugs/788700
(cherry picked from commit b522f02184b413955f3bc952e3776ce41edc6355)
Signed-off-by: Andy Whitcroft<apw@canonical.com>
---
drivers/char/agp/generic.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
index d2abf51..3d852bf 100644
--- a/drivers/char/agp/generic.c
+++ b/drivers/char/agp/generic.c
@@ -122,6 +122,9 @@ static struct agp_memory *agp_create_user_memory(unsigned long num_agp_pages)
struct agp_memory *new;
unsigned long alloc_size = num_agp_pages*sizeof(struct page *);

+ if (INT_MAX/sizeof(struct page *)< num_agp_pages)
+ return NULL;
+
new = kzalloc(sizeof(struct agp_memory), GFP_KERNEL);
if (new == NULL)
return NULL;
@@ -241,11 +244,14 @@ struct agp_memory *agp_allocate_memory(struct agp_bridge_data *bridge,
int scratch_pages;
struct agp_memory *new;
size_t i;
+ int cur_memory;

if (!bridge)
return NULL;

- if ((atomic_read(&bridge->current_memory_agp) + page_count)> bridge->max_memory_agp)
+ cur_memory = atomic_read(&bridge->current_memory_agp);
+ if ((cur_memory + page_count> bridge->max_memory_agp) ||
+ (cur_memory + page_count< page_count))
return NULL;

if (type>= AGP_USER_TYPES) {


Acked-by: Tim Gardner <tim.gardner@canonical.com>

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

On Thu, 2011-05-26 at 17:22 +0100, Andy Whitcroft wrote:
> From: Vasiliy Kulikov <segoon@openwall.com>
>
> page_count is copied from userspace. agp_allocate_memory() tries to
> check whether this number is too big, but doesn't take into account the
> wrap case. Also agp_create_user_memory() doesn't check whether
> alloc_size is calculated from num_agp_pages variable without overflow.
> This may lead to allocation of too small buffer with following buffer
> overflow.
>
> Another problem in agp code is not addressed in the patch - kernel memory
> exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked
> whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()).
> Each allocation is limited to 16KB, though, there is no per-process limit.
> This might lead to OOM situation, which is not even solved in case of the
> caller death by OOM killer - the memory is allocated for another (faked) process.
>
> Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
> Signed-off-by: Dave Airlie <airlied@redhat.com>
>
> CVE-2011-1747
> BugLink: http://bugs.launchpad.net/bugs/788700
> (cherry picked from commit b522f02184b413955f3bc952e3776ce41edc6355)
> Signed-off-by: Andy Whitcroft <apw@canonical.com>

Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com>

> ---
> drivers/char/agp/generic.c | 8 +++++++-
> 1 files changed, 7 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
> index d2abf51..3d852bf 100644
> --- a/drivers/char/agp/generic.c
> +++ b/drivers/char/agp/generic.c
> @@ -122,6 +122,9 @@ static struct agp_memory *agp_create_user_memory(unsigned long num_agp_pages)
> struct agp_memory *new;
> unsigned long alloc_size = num_agp_pages*sizeof(struct page *);
>
> + if (INT_MAX/sizeof(struct page *) < num_agp_pages)
> + return NULL;
> +
> new = kzalloc(sizeof(struct agp_memory), GFP_KERNEL);
> if (new == NULL)
> return NULL;
> @@ -241,11 +244,14 @@ struct agp_memory *agp_allocate_memory(struct agp_bridge_data *bridge,
> int scratch_pages;
> struct agp_memory *new;
> size_t i;
> + int cur_memory;
>
> if (!bridge)
> return NULL;
>
> - if ((atomic_read(&bridge->current_memory_agp) + page_count) > bridge->max_memory_agp)
> + cur_memory = atomic_read(&bridge->current_memory_agp);
> + if ((cur_memory + page_count > bridge->max_memory_agp) ||
> + (cur_memory + page_count < page_count))
> return NULL;
>
> if (type >= AGP_USER_TYPES) {
> --
> 1.7.4.1
>
>



--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

On 06/02/2011 09:38 AM, Andy Whitcroft wrote:

CVE-2011-1746
Multiple integer overflows in the (1) agp_allocate_memory and (2)
agp_create_user_memory functions in drivers/char/agp/generic.c
in the Linux kernel before 2.6.38.5 allow local users to trigger
buffer overflows, and consequently cause a denial of service
(system crash) or possibly have unspecified other impact, via
vectors related to calls that specify a large number of memory
pages.

This fix was applied to Oneiric, Natty, and Lucid via mainline and
stable updates. Following this email is a patch which applies to both
Hardy and Maverick, this is a simple cherry-pick from mainline.

Proposing for Hardy and Maverick.

-apw



Thought you did this one already?

Acked-by: Tim Gardner <tim.gardner@canonical.com>

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

CVE-2011-1746
Multiple integer overflows in the (1) agp_allocate_memory and (2)
agp_create_user_memory functions in drivers/char/agp/generic.c
in the Linux kernel before 2.6.38.5 allow local users to trigger
buffer overflows, and consequently cause a denial of service
(system crash) or possibly have unspecified other impact, via
vectors related to calls that specify a large number of memory
pages.

This fix was applied to Oneiric, Natty, and Lucid via mainline and
stable updates. Following this email is a patch which applies to both
Hardy and Maverick, this is a simple cherry-pick from mainline.

Proposing for Hardy and Maverick.

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

From: Vasiliy Kulikov <segoon@openwall.com>

page_count is copied from userspace. agp_allocate_memory() tries to
check whether this number is too big, but doesn't take into account the
wrap case. Also agp_create_user_memory() doesn't check whether
alloc_size is calculated from num_agp_pages variable without overflow.
This may lead to allocation of too small buffer with following buffer
overflow.

Another problem in agp code is not addressed in the patch - kernel memory
exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked
whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()).
Each allocation is limited to 16KB, though, there is no per-process limit.
This might lead to OOM situation, which is not even solved in case of the
caller death by OOM killer - the memory is allocated for another (faked) process.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

(cherry picked from commit b522f02184b413955f3bc952e3776ce41edc6355)
CVE-2011-1746
BugLink: http://bugs.launchpad.net/bugs/791918
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
drivers/char/agp/generic.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
index 7858016..8df122a 100644
--- a/drivers/char/agp/generic.c
+++ b/drivers/char/agp/generic.c
@@ -122,6 +122,9 @@ static struct agp_memory *agp_create_user_memory(unsigned long num_agp_pages)
struct agp_memory *new;
unsigned long alloc_size = num_agp_pages*sizeof(struct page *);

+ if (INT_MAX/sizeof(struct page *) < num_agp_pages)
+ return NULL;
+
new = kzalloc(sizeof(struct agp_memory), GFP_KERNEL);
if (new == NULL)
return NULL;
@@ -241,11 +244,14 @@ struct agp_memory *agp_allocate_memory(struct agp_bridge_data *bridge,
int scratch_pages;
struct agp_memory *new;
size_t i;
+ int cur_memory;

if (!bridge)
return NULL;

- if ((atomic_read(&bridge->current_memory_agp) + page_count) > bridge->max_memory_agp)
+ cur_memory = atomic_read(&bridge->current_memory_agp);
+ if ((cur_memory + page_count > bridge->max_memory_agp) ||
+ (cur_memory + page_count < page_count))
return NULL;

if (type >= AGP_USER_TYPES) {
--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

On 06/02/2011 09:38 AM, Andy Whitcroft wrote:

From: Vasiliy Kulikov<segoon@openwall.com>

page_count is copied from userspace. agp_allocate_memory() tries to
check whether this number is too big, but doesn't take into account the
wrap case. Also agp_create_user_memory() doesn't check whether
alloc_size is calculated from num_agp_pages variable without overflow.
This may lead to allocation of too small buffer with following buffer
overflow.

Another problem in agp code is not addressed in the patch - kernel memory
exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked
whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()).
Each allocation is limited to 16KB, though, there is no per-process limit.
This might lead to OOM situation, which is not even solved in case of the
caller death by OOM killer - the memory is allocated for another (faked) process.

Signed-off-by: Vasiliy Kulikov<segoon@openwall.com>
Signed-off-by: Dave Airlie<airlied@redhat.com>

(cherry picked from commit b522f02184b413955f3bc952e3776ce41edc6355)
CVE-2011-1746
BugLink: http://bugs.launchpad.net/bugs/791918
Signed-off-by: Andy Whitcroft<apw@canonical.com>
---
drivers/char/agp/generic.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
index 7858016..8df122a 100644
--- a/drivers/char/agp/generic.c
+++ b/drivers/char/agp/generic.c
@@ -122,6 +122,9 @@ static struct agp_memory *agp_create_user_memory(unsigned long num_agp_pages)
struct agp_memory *new;
unsigned long alloc_size = num_agp_pages*sizeof(struct page *);

+ if (INT_MAX/sizeof(struct page *)< num_agp_pages)
+ return NULL;
+
new = kzalloc(sizeof(struct agp_memory), GFP_KERNEL);
if (new == NULL)
return NULL;
@@ -241,11 +244,14 @@ struct agp_memory *agp_allocate_memory(struct agp_bridge_data *bridge,
int scratch_pages;
struct agp_memory *new;
size_t i;
+ int cur_memory;

if (!bridge)
return NULL;

- if ((atomic_read(&bridge->current_memory_agp) + page_count)> bridge->max_memory_agp)
+ cur_memory = atomic_read(&bridge->current_memory_agp);
+ if ((cur_memory + page_count> bridge->max_memory_agp) ||
+ (cur_memory + page_count< page_count))
return NULL;

if (type>= AGP_USER_TYPES) {


Acked-by: Brad Figg <brad.figg@canonical.com>

--
Brad Figg brad.figg@canonical.com http://www.canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

On Thu, Jun 02, 2011 at 08:03:57AM -0700, Tim Gardner wrote:
> On 06/02/2011 09:38 AM, Andy Whitcroft wrote:
> >CVE-2011-1746
> > Multiple integer overflows in the (1) agp_allocate_memory and (2)
> > agp_create_user_memory functions in drivers/char/agp/generic.c
> > in the Linux kernel before 2.6.38.5 allow local users to trigger
> > buffer overflows, and consequently cause a denial of service
> > (system crash) or possibly have unspecified other impact, via
> > vectors related to calls that specify a large number of memory
> > pages.
> >
> >This fix was applied to Oneiric, Natty, and Lucid via mainline and
> >stable updates. Following this email is a patch which applies to both
> >Hardy and Maverick, this is a simple cherry-pick from mainline.
> >
> >Proposing for Hardy and Maverick.
> >
> >-apw
> >
>
> Thought you did this one already?
>
> Acked-by: Tim Gardner <tim.gardner@canonical.com>

Three different commits it seems across the same driver.

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Applied to Maverick.

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team