|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: kernel: buffer overflow and DoS issues in agp | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Sebastian Krahmer <krahmer> |
| Component: | General | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Major | ||
| Priority: | P2 - High | CC: | lchiquitto, meissner, mhocko, regis, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | maint:released:sle11-sp1:42209 maint:released:sle11-sp1:42207 maint:released:sle11-sp1:42208 maint:released:sle11-sp1:42206 maint:released:sle11-sp1:42205 maint:released:sle11-sp1:42214 maint:released:sle11-sp1:42211 maint:released:sle11-sp1:42212 maint:released:sle11-sp1:42213 maint:released:sle11-sp1:42210 maint:released:11.4:42361 maint:released:sle10-sp4:42443 maint:released:sle10-sp4:42445 maint:released:sle10-sp4:42442 maint:released:sle10-sp4:42444 maint:released:sle10-sp4:42441 maint:released:sle10-sp3:43063 maint:released:sle10-sp3:43061 maint:released:sle10-sp3:43066 maint:released:sle10-sp3:43069 maint:released:sle10-sp3:43068 maint:released:sle10-sp3:44088 maint:released:sle10-sp2:44861 maint:released:sle10-sp2:44860 maint:released:sle10-sp2:44862 CVSSv2:NVD:CVE-2011-1747:4.7:(AV:L/AC:M/Au:N/C:N/I:N/A:C) CVSSv2:RedHat:CVE-2011-1747:4.4:(AV:L/AC:M/Au:S/C:N/I:N/A:C) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Sebastian Krahmer
2011-04-26 06:56:09 UTC
> cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the > comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND, > and it is not checked at all in case of AGPIOC_UNBIND. As a result, > user > with sufficient privileges (usually "video" group) may generate either > local DoS or privilege escalation." Please use CVE-2011-1745. > > > https://lkml.org/lkml/2011/4/14/294 > https://lkml.org/lkml/2011/4/19/400 > > "page_count is copied from userspace. agp_allocate_memory() tries to > check whether this number is too big, but doesn't take into account > the > wrap case. Also agp_create_user_memory() doesn't check whether > alloc_size is calculated from num_agp_pages variable without overflow. > This may lead to allocation of too small buffer with following buffer > overflow. Please use CVE-2011-1746. > Another problem in agp code is not addressed in the patch - kernel > memory > exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not > checked > whether requested pid is a pid of the caller (no check in > agpioc_reserve_wrap()). > Each allocation is limited to 16KB, though, there is no per-process > limit. > This might lead to OOM situation, which is not even solved in case of > the > caller death by OOM killer - the memory is allocated for another > (faked) > process." Please use CVE-2011-1747. Thanks, -- Petr Matousek / Red Hat Security Response Team Also via OSS-sec: > I am a bit confused. > > https://bugzilla.redhat.com/show_bug.cgi?id=698999 references > https://lkml.org/lkml/2011/4/14/294 > > which is assigned to CVE-2011-1746 not CVE-2011-1747. > > is there a patch for CVE-2011-1747? No. The problem of CVE-2011-1747 is mentioned in the patch fixing CVE-2011-1746 because the patch tries to fix a similar problem - OOM. CVE-2011-1747 is not fixed yet. p5->p3 mass change CVE-2011-1746 and CVE-2011-1745 were fixed in 2.6.32.40 for sle11 sp1. (In reply to comment #1) > > cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the > > comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND, > > and it is not checked at all in case of AGPIOC_UNBIND. As a result, > > user > > with sufficient privileges (usually "video" group) may generate either > > local DoS or privilege escalation." > > Please use CVE-2011-1745. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=194b3da873fd334ef183806db751473512af29ce > > https://lkml.org/lkml/2011/4/14/294 > > https://lkml.org/lkml/2011/4/19/400 > > > > "page_count is copied from userspace. agp_allocate_memory() tries to > > check whether this number is too big, but doesn't take into account > > the > > wrap case. Also agp_create_user_memory() doesn't check whether > > alloc_size is calculated from num_agp_pages variable without overflow. > > This may lead to allocation of too small buffer with following buffer > > overflow. > > Please use CVE-2011-1746. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b522f02184b413955f3bc952e3776ce41edc6355 > > Another problem in agp code is not addressed in the patch - kernel > > memory > > exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not > > checked > > whether requested pid is a pid of the caller (no check in > > agpioc_reserve_wrap()). > > Each allocation is limited to 16KB, though, there is no per-process > > limit. > > This might lead to OOM situation, which is not even solved in case of > > the > > caller death by OOM killer - the memory is allocated for another > > (faked) > > process." > > Please use CVE-2011-1747. Still nothing in the Linus tree AFAICS. Fix for CVE-2011-1745 pushed into SLES9-SP3-TD and SLES10-SP3-TD branches. CVE-2011-1746 doesn't seem to affect SLES10-SP3-TD branch (agp_create_user_memory has been introduced by a030ce44 in 2.6.21). CVE-2011-1745 (along with CVE-2011-2022) and CVE-2011-1746 are fixed in all relevant kernel branches now. For CVE-2011-1747 I still need to locate the patch. Assigning to the security team. When done please assign it back to me for the CVE-2011-1747 issue. A kernel update for SUSE Linux Enterprise 11 SP1 was just released that contains/mentions this fix. The release version is 2.6.32.43-0.4.1. Update released for: btrfs-kmp-default, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-xen, hyper-v-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra Products: SLE-DEBUGINFO 11-SP1 (x86_64) SLE-DESKTOP 11-SP1 (x86_64) SLE-HAE 11-SP1 (x86_64) SLE-SERVER 11-SP1 (x86_64) SLES4VMWARE 11-SP1 (x86_64) Update released for: btrfs-kmp-default, btrfs-kmp-ppc64, cluster-network-kmp-default, cluster-network-kmp-ppc64, ext4dev-kmp-default, ext4dev-kmp-ppc64, gfs2-kmp-default, gfs2-kmp-ppc64, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-devel, kernel-ppc64-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-extra Products: SLE-DEBUGINFO 11-SP1 (ppc64) SLE-HAE 11-SP1 (ppc64) SLE-SERVER 11-SP1 (ppc64) Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-man Products: SLE-DEBUGINFO 11-SP1 (s390x) SLE-HAE 11-SP1 (s390x) SLE-SERVER 11-SP1 (s390x) Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra Products: SLE-DEBUGINFO 11-SP1 (ia64) SLE-HAE 11-SP1 (ia64) SLE-SERVER 11-SP1 (ia64) Update released for: btrfs-kmp-default, btrfs-kmp-pae, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-pae, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-xen, hyper-v-kmp-default, hyper-v-kmp-pae, kernel-default, kernel-default-base, kernel-default-devel, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-devel, kernel-ec2-extra, kernel-pae, kernel-pae-base, kernel-pae-devel, kernel-pae-extra, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-devel, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-devel, kernel-xen-extra Products: SLE-DEBUGINFO 11-SP1 (i386) SLE-DESKTOP 11-SP1 (i386) SLE-HAE 11-SP1 (i386) SLE-SERVER 11-SP1 (i386) SLES4VMWARE 11-SP1 (i386) Update released for: kernel-default-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (x86_64) Update released for: kernel-default-extra Products: SLE-SERVER 11-EXTRA (ia64) This is an autogenerated message for OBS integration: This bug (689797) was mentioned in https://build.opensuse.org/request/show/76992 11.4 / kernel-source Update released for: kernel-default-extra, kernel-ppc64-extra Products: SLE-SERVER 11-EXTRA (ppc64) Update released for: kernel-default-extra Products: SLE-SERVER 11-EXTRA (s390x) Update released for: kernel-default-extra, kernel-pae-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (i386) i noticed the patches missing in openSUSE-11.3 branch Patch is already in the openSUSE 11.3 update kernel thru patches.kernel.org/patch-2.6.34.9-10. The SWAMPID for this issue is 42440. This issue was rated as important. Please submit fixed packages until 2011-08-08. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team. Update released for: kernel-debug, kernel-debug-base, kernel-debug-base-debuginfo, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-default, kernel-default-base, kernel-default-base-debuginfo, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-desktop, kernel-desktop-base, kernel-desktop-base-debuginfo, kernel-desktop-debuginfo, kernel-desktop-debugsource, kernel-desktop-devel, kernel-desktop-devel-debuginfo, kernel-devel, kernel-docs, kernel-ec2, kernel-ec2-base, kernel-ec2-base-debuginfo, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-ec2-extra-debuginfo, kernel-pae, kernel-pae-base, kernel-pae-base-debuginfo, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-base-debuginfo, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-vanilla, kernel-vanilla-base, kernel-vanilla-base-debuginfo, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-vanilla-devel, kernel-vanilla-devel-debuginfo, kernel-vmi, kernel-vmi-base, kernel-vmi-base-debuginfo, kernel-vmi-debuginfo, kernel-vmi-debugsource, kernel-vmi-devel, kernel-vmi-devel-debuginfo, kernel-xen, kernel-xen-base, kernel-xen-base-debuginfo, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, preload-kmp-default, preload-kmp-desktop Products: openSUSE 11.4 (debug, i586, x86_64) CVE-2011-1747 still missing, but reassign to us as Egbert cannot do much there. We just released a kernel update for SUSE Linux Enterprise 10 SP4 that mentions/fixes this bug. The released kernel version is 2.6.16.60-0.89.1. Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms Products: SLE-DEBUGINFO 10-SP4 (ppc) SLE-SDK 10-SP4 (ppc) SLE-SERVER 10-SP4 (ppc) Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo Products: SLE-DEBUGINFO 10-SP4 (x86_64) SLE-DESKTOP 10-SP4 (x86_64) SLE-SDK 10-SP4 (x86_64) SLE-SERVER 10-SP4 (x86_64) Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms Products: SLE-DEBUGINFO 10-SP4 (ia64) SLE-SDK 10-SP4 (ia64) SLE-SERVER 10-SP4 (ia64) Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms Products: SLE-DEBUGINFO 10-SP4 (s390x) SLE-SERVER 10-SP4 (s390x) Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo Products: SLE-DEBUGINFO 10-SP4 (i386) SLE-DESKTOP 10-SP4 (i386) SLE-SDK 10-SP4 (i386) SLE-SERVER 10-SP4 (i386) We just released a kernel update for SUSE Linux Enterprise 10 SP3 that mentions/fixes this bug. The released kernel version is 2.6.16.60-0.83.2. Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms Products: SLE-DEBUGINFO 10-SP3 (ia64) SLE-SDK 10-SP3 (ia64) SLE-SERVER 10-SP3 (ia64) Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo Products: SLE-DEBUGINFO 10-SP3 (i386) SLE-SDK 10-SP3 (i386) SLE-SERVER 10-SP3 (i386) Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms Products: SLE-DEBUGINFO 10-SP3 (ppc) SLE-SDK 10-SP3 (ppc) SLE-SERVER 10-SP3 (ppc) Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo Products: SLE-DEBUGINFO 10-SP3 (x86_64) SLE-SAP-APL 10-SP3 (x86_64) SLE-SDK 10-SP3 (x86_64) SLE-SERVER 10-SP3 (x86_64) Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms Products: SLE-DEBUGINFO 10-SP3 (s390x) SLE-SERVER 10-SP3 (s390x) Are there any news about CVE-2011-1747? Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo Products: SLE-SERVER 10-SP3-TERADATA (x86_64) Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms Products: SLE-SERVER 10-SP2-LTSS (s390x) Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo Products: SLE-SERVER 10-SP2-LTSS (i386) Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo Products: SLE-SERVER 10-SP2-LTSS (x86_64) (In reply to comment #10) [...] > For CVE-2011-1747 I still need to locate the patch. Any news about this one, Egbert? Reviewed, might still be unfixed. redhat writes in https://bugzilla.redhat.com/show_bug.cgi?id=698999 that it requies CAP_SYS_RAWIO, although I do not specifcally see that in the agp_ioctl() function. Lets close it as mostly fixed. |