Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 22 Apr 2011 11:11:31 -0400 (EDT)
From: Petr Matousek <pmatouse@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Vasiliy Kulikov <segoon@...nwall.com>
Subject: Re: CVE request: kernel: buffer overflow and DoS
 issues in agp

----- Original Message -----
> From: "Vasiliy Kulikov" <segoon@...nwall.com>
> To: oss-security@...ts.openwall.com
> Sent: Thursday, April 21, 2011 4:01:31 PM
> Subject: [oss-security] CVE request: kernel: buffer overflow and DoS issues in agp
> Hi,
> 
> https://lkml.org/lkml/2011/4/14/293
> 
> "pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND
> ioctl
> cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the
> comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
> and it is not checked at all in case of AGPIOC_UNBIND. As a result,
> user
> with sufficient privileges (usually "video" group) may generate either
> local DoS or privilege escalation."

Please use CVE-2011-1745.

> 
> 
> https://lkml.org/lkml/2011/4/14/294
> https://lkml.org/lkml/2011/4/19/400
> 
> "page_count is copied from userspace. agp_allocate_memory() tries to
> check whether this number is too big, but doesn't take into account
> the
> wrap case. Also agp_create_user_memory() doesn't check whether
> alloc_size is calculated from num_agp_pages variable without overflow.
> This may lead to allocation of too small buffer with following buffer
> overflow.

Please use CVE-2011-1746.
 
> Another problem in agp code is not addressed in the patch - kernel
> memory
> exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not
> checked
> whether requested pid is a pid of the caller (no check in
> agpioc_reserve_wrap()).
> Each allocation is limited to 16KB, though, there is no per-process
> limit.
> This might lead to OOM situation, which is not even solved in case of
> the
> caller death by OOM killer - the memory is allocated for another
> (faked)
> process."

Please use CVE-2011-1747.

Thanks,
--
Petr Matousek / Red Hat Security Response Team

> --
> Vasiliy Kulikov
> http://www.openwall.com - bringing security into open computing
> environments

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ