Bug 693043

Summary: VUL-0: kernel: agp_generic_remove_memory vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: GeneralAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P2 - High CC: eich, meissner, mhocko, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:11.4:42361 maint:released:sle10-sp4:42443 maint:released:sle10-sp4:42445 maint:released:sle10-sp4:42442 maint:released:sle10-sp4:42444 maint:released:sle10-sp4:42441 maint:released:sle10-sp3:43063 maint:released:sle10-sp3:43061 maint:released:sle10-sp3:43066 maint:released:sle10-sp3:43069 maint:released:sle10-sp3:43068 maint:released:sle10-sp3:44088 maint:released:sle10-sp2:44861 maint:released:sle10-sp2:44860 maint:released:sle10-sp2:44862
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Sebastian Krahmer 2011-05-11 08:39:06 UTC 
Name: CVE-2011-2022

The agp_generic_remove_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 does not
+validate a certain start parameter, which allows local users to gain privileges or cause a denial of service
+(system crash) via a crafted AGPIOC_UNBIND agp_ioctl ioctl call, a different vulnerability than CVE-2011-1745.



Reference: MLIST: https://lkml.org/lkml/2011/4/14/293
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=698996
Reference: MLIST: http://openwall.com/lists/oss-security/2011/04/22/7
Reference: MLIST: http://openwall.com/lists/oss-security/2011/04/21/4
Reference: CONFIRM:
+http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=194b3da873fd334ef183806db751473512af29
+ce
Reference: CONFIRM: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38.5
Comment 1 Marcus Meissner 2011-05-12 08:12:30 UTC 
bump prio, as this is potential local privilege escalation.

perhaps for Egbert to fix?
Comment 3 Marcus Meissner 2011-07-19 15:50:04 UTC 
this was fixed by the fix in bnc#689797 already, as the GIT Commit id 
has both CVE fixes.
Comment 4 Egbert Eich 2011-07-20 14:21:09 UTC 
I've now massaged this into all branches that needed this fix.
Comment 5 Bernhard Wiedemann 2011-07-25 17:00:35 UTC 
This is an autogenerated message for OBS integration:
This bug (693043) was mentioned in
https://build.opensuse.org/request/show/76992 11.4 / kernel-source
Comment 6 Swamp Workflow Management 2011-08-01 11:35:37 UTC 
The SWAMPID for this issue is 42440.
This issue was rated as important.
Please submit fixed packages until 2011-08-08.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 7 Swamp Workflow Management 2011-08-02 08:00:25 UTC 
Update released for: kernel-debug, kernel-debug-base, kernel-debug-base-debuginfo, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-default, kernel-default-base, kernel-default-base-debuginfo, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-desktop, kernel-desktop-base, kernel-desktop-base-debuginfo, kernel-desktop-debuginfo, kernel-desktop-debugsource, kernel-desktop-devel, kernel-desktop-devel-debuginfo, kernel-devel, kernel-docs, kernel-ec2, kernel-ec2-base, kernel-ec2-base-debuginfo, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-ec2-extra-debuginfo, kernel-pae, kernel-pae-base, kernel-pae-base-debuginfo, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-base-debuginfo, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-vanilla, kernel-vanilla-base, kernel-vanilla-base-debuginfo, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-vanilla-devel, kernel-vanilla-devel-debuginfo, kernel-vmi, kernel-vmi-base, kernel-vmi-base-debuginfo, kernel-vmi-debuginfo, kernel-vmi-debugsource, kernel-vmi-devel, kernel-vmi-devel-debuginfo, kernel-xen, kernel-xen-base, kernel-xen-base-debuginfo, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, preload-kmp-default, preload-kmp-desktop
Products:
openSUSE 11.4 (debug, i586, x86_64)
Comment 8 Marcus Meissner 2011-08-12 09:28:29 UTC 
We just released a kernel update for SUSE Linux Enterprise 10 SP4 that
mentions/fixes this bug. The released kernel version is 2.6.16.60-0.89.1.

i cross checked presence of the patch, so we can close
Comment 9 Swamp Workflow Management 2011-08-12 10:58:36 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ppc)
SLE-SDK 10-SP4 (ppc)
SLE-SERVER 10-SP4 (ppc)
Comment 10 Swamp Workflow Management 2011-08-12 11:24:05 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (x86_64)
SLE-DESKTOP 10-SP4 (x86_64)
SLE-SDK 10-SP4 (x86_64)
SLE-SERVER 10-SP4 (x86_64)
Comment 11 Swamp Workflow Management 2011-08-12 11:37:11 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ia64)
SLE-SDK 10-SP4 (ia64)
SLE-SERVER 10-SP4 (ia64)
Comment 12 Swamp Workflow Management 2011-08-12 11:43:19 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (s390x)
SLE-SERVER 10-SP4 (s390x)
Comment 13 Swamp Workflow Management 2011-08-12 12:29:48 UTC 
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (i386)
SLE-DESKTOP 10-SP4 (i386)
SLE-SDK 10-SP4 (i386)
SLE-SERVER 10-SP4 (i386)
Comment 14 Marcus Meissner 2011-09-20 14:36:00 UTC 
We just released a kernel update for SUSE Linux Enterprise 10 SP3 that
mentions/fixes this bug. The released kernel version is 2.6.16.60-0.83.2.
Comment 15 Swamp Workflow Management 2011-09-20 16:13:57 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (ia64)
SLE-SDK 10-SP3 (ia64)
SLE-SERVER 10-SP3 (ia64)
Comment 16 Swamp Workflow Management 2011-09-20 17:14:42 UTC 
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (i386)
SLE-SDK 10-SP3 (i386)
SLE-SERVER 10-SP3 (i386)
Comment 17 Swamp Workflow Management 2011-09-20 17:28:33 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (ppc)
SLE-SDK 10-SP3 (ppc)
SLE-SERVER 10-SP3 (ppc)
Comment 18 Swamp Workflow Management 2011-09-20 18:07:07 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SDK 10-SP3 (x86_64)
SLE-SERVER 10-SP3 (x86_64)
Comment 19 Swamp Workflow Management 2011-09-20 18:14:10 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (s390x)
SLE-SERVER 10-SP3 (s390x)
Comment 20 Swamp Workflow Management 2011-11-17 14:12:29 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 21 Swamp Workflow Management 2012-01-24 13:16:30 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-SERVER 10-SP2-LTSS (s390x)
Comment 22 Swamp Workflow Management 2012-01-24 13:22:17 UTC 
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-SERVER 10-SP2-LTSS (i386)
Comment 23 Swamp Workflow Management 2012-01-24 13:56:47 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-SERVER 10-SP2-LTSS (x86_64)