[kernel] r17607 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Jun 6 01:24:05 UTC 2011
Author: dannf
Date: Mon Jun 6 01:24:04 2011
New Revision: 17607
Log:
agp: fix arbitrary kernel memory writes (CVE-2011-1745)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch
- copied unchanged from r17590, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Jun 6 01:23:21 2011 (r17606)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Jun 6 01:24:04 2011 (r17607)
@@ -35,6 +35,7 @@
* ROSE: prevent heap corruption with bad facilities (CVE-2011-1493)
* next_pidmap: fix overflow condition (CVE-2011-1593)
* can: Add missing socket check in can/bcm release (CVE-2011-1598)
+ * agp: fix arbitrary kernel memory writes (CVE-2011-1745)
[ Ben Hutchings ]
* [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch (from r17590, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch Mon Jun 6 01:24:04 2011 (r17607, copy of r17590, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch)
@@ -0,0 +1,52 @@
+commit 194b3da873fd334ef183806db751473512af29ce
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Thu Apr 14 20:55:16 2011 +0400
+
+ agp: fix arbitrary kernel memory writes
+
+ pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl
+ cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the
+ comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
+ and it is not checked at all in case of AGPIOC_UNBIND. As a result, user
+ with sufficient privileges (usually "video" group) may generate either
+ local DoS or privilege escalation.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Dave Airlie <airlied at redhat.com>
+
+diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
+index 850a643..b072648 100644
+--- a/drivers/char/agp/generic.c
++++ b/drivers/char/agp/generic.c
+@@ -1095,8 +1095,8 @@ int agp_generic_insert_memory(struct agp_memory * mem, off_t pg_start, int type)
+ return -EINVAL;
+ }
+
+- /* AK: could wrap */
+- if ((pg_start + mem->page_count) > num_entries)
++ if (((pg_start + mem->page_count) > num_entries) ||
++ ((pg_start + mem->page_count) < pg_start))
+ return -EINVAL;
+
+ j = pg_start;
+@@ -1130,7 +1130,7 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
+ {
+ size_t i;
+ struct agp_bridge_data *bridge;
+- int mask_type;
++ int mask_type, num_entries;
+
+ bridge = mem->bridge;
+ if (!bridge)
+@@ -1142,6 +1142,11 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
+ if (type != mem->type)
+ return -EINVAL;
+
++ num_entries = agp_num_entries();
++ if (((pg_start + mem->page_count) > num_entries) ||
++ ((pg_start + mem->page_count) < pg_start))
++ return -EINVAL;
++
+ mask_type = bridge->driver->agp_type_to_mask_type(bridge, type);
+ if (mask_type != 0) {
+ /* The generic routines know nothing of memory types */
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon Jun 6 01:23:21 2011 (r17606)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon Jun 6 01:24:04 2011 (r17607)
@@ -33,3 +33,4 @@
+ bugfix/all/next_pidmap-fix-overflow-condition.patch
+ bugfix/all/proc-do-proper-range-check-on-readdir-offset.patch
+ bugfix/all/can-add-missing-socket-check-in-can+bcm-release.patch
++ bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch
More information about the Kernel-svn-changes
mailing list