[kernel] r17607 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Jun 6 01:24:05 UTC 2011 

Author: dannf
Date: Mon Jun  6 01:24:04 2011
New Revision: 17607

Log:
agp: fix arbitrary kernel memory writes (CVE-2011-1745)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch
      - copied unchanged from r17590, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Jun  6 01:23:21 2011	(r17606)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Jun  6 01:24:04 2011	(r17607)
@@ -35,6 +35,7 @@
   * ROSE: prevent heap corruption with bad facilities (CVE-2011-1493)
   * next_pidmap: fix overflow condition (CVE-2011-1593)
   * can: Add missing socket check in can/bcm release (CVE-2011-1598)
+  * agp: fix arbitrary kernel memory writes (CVE-2011-1745)
 
   [ Ben Hutchings ]
   * [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch (from r17590, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch	Mon Jun  6 01:24:04 2011	(r17607, copy of r17590, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch)
@@ -0,0 +1,52 @@
+commit 194b3da873fd334ef183806db751473512af29ce
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date:   Thu Apr 14 20:55:16 2011 +0400
+
+    agp: fix arbitrary kernel memory writes
+    
+    pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl
+    cmds of agp_ioctl() and passed to agpioc_bind_wrap().  As said in the
+    comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
+    and it is not checked at all in case of AGPIOC_UNBIND.  As a result, user
+    with sufficient privileges (usually "video" group) may generate either
+    local DoS or privilege escalation.
+    
+    Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+    Signed-off-by: Dave Airlie <airlied at redhat.com>
+
+diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
+index 850a643..b072648 100644
+--- a/drivers/char/agp/generic.c
++++ b/drivers/char/agp/generic.c
+@@ -1095,8 +1095,8 @@ int agp_generic_insert_memory(struct agp_memory * mem, off_t pg_start, int type)
+ 		return -EINVAL;
+ 	}
+ 
+-	/* AK: could wrap */
+-	if ((pg_start + mem->page_count) > num_entries)
++	if (((pg_start + mem->page_count) > num_entries) ||
++	    ((pg_start + mem->page_count) < pg_start))
+ 		return -EINVAL;
+ 
+ 	j = pg_start;
+@@ -1130,7 +1130,7 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
+ {
+ 	size_t i;
+ 	struct agp_bridge_data *bridge;
+-	int mask_type;
++	int mask_type, num_entries;
+ 
+ 	bridge = mem->bridge;
+ 	if (!bridge)
+@@ -1142,6 +1142,11 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
+ 	if (type != mem->type)
+ 		return -EINVAL;
+ 
++	num_entries = agp_num_entries();
++	if (((pg_start + mem->page_count) > num_entries) ||
++	    ((pg_start + mem->page_count) < pg_start))
++		return -EINVAL;
++
+ 	mask_type = bridge->driver->agp_type_to_mask_type(bridge, type);
+ 	if (mask_type != 0) {
+ 		/* The generic routines know nothing of memory types */

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Jun  6 01:23:21 2011	(r17606)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Jun  6 01:24:04 2011	(r17607)
@@ -33,3 +33,4 @@
 + bugfix/all/next_pidmap-fix-overflow-condition.patch
 + bugfix/all/proc-do-proper-range-check-on-readdir-offset.patch
 + bugfix/all/can-add-missing-socket-check-in-can+bcm-release.patch
++ bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch

More information about the Kernel-svn-changes mailing list