** Changed in: linux-mvl-dove (Ubuntu Lucid)
Status: New => Fix Released
** Changed in: linux-mvl-dove (Ubuntu Maverick)
Status: New => Fix Released
** Changed in: linux-lts-backport-maverick (Ubuntu Lucid)
Status: New => Fix Committed
** Changed in: linux (Ubuntu Maverick)
Status: In Progress => Fix Committed
** Changed in: linux-ti-omap4 (Ubuntu Oneiric)
Status: New => Fix Committed
** Changed in: linux-ti-omap4 (Ubuntu Maverick)
Status: New => Fix Committed
** Changed in: linux-ti-omap4 (Ubuntu Natty)
Status: New => Fix Committed
** Changed in: linux-fsl-imx51 (Ubuntu Lucid)
Status: New => Fix Released
** Description changed:
- Fixed By:
+ Multiple integer overflows in the (1) agp_allocate_memory and (2)
+ agp_create_user_memory functions in drivers/char/agp/generic.c in the
+ Linux kernel before 2.6.38.5 allow local users to trigger buffer
+ overflows, and consequently cause a denial of service (system crash) or
+ possibly have unspecified other impact, via vectors related to calls
+ that specify a large number of memory pages.
- commit b522f02184b413955f3bc952e3776ce41edc6355
- Author: Vasiliy Kulikov <[email protected]>
- Date: Thu Apr 14 20:55:19 2011 +0400
-
- agp: fix OOM and buffer overflow
-
- page_count is copied from userspace. agp_allocate_memory() tries to
- check whether this number is too big, but doesn't take into account the
- wrap case. Also agp_create_user_memory() doesn't check whether
- alloc_size is calculated from num_agp_pages variable without overflow.
- This may lead to allocation of too small buffer with following buffer
- overflow.
-
- Another problem in agp code is not addressed in the patch - kernel memory
- exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked
- whether requested pid is a pid of the caller (no check in
agpioc_reserve_wra
- Each allocation is limited to 16KB, though, there is no per-process limit.
- This might lead to OOM situation, which is not even solved in case of the
- caller death by OOM killer - the memory is allocated for another (faked)
pro
-
- Signed-off-by: Vasiliy Kulikov <[email protected]>
- Signed-off-by: Dave Airlie <[email protected]>
-
- This fix has hit Oneiric, Natty and Lucid via mainline/stable updates.
+ Fixed-by: b522f02184b413955f3bc952e3776ce41edc6355
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/791918
Title:
CVE-2011-1746
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/791918/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
