Bug 689797 - VUL-0: kernel: buffer overflow and DoS issues in agp
VUL-0: kernel: buffer overflow and DoS issues in agp
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
E-mail List
maint:released:sle11-sp1:42209 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-26 06:56 UTC by Sebastian Krahmer
Modified: 2019-05-01 15:36 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2011-04-26 06:56:09 UTC
Via OSS-sec:


Hi,

https://lkml.org/lkml/2011/4/14/293

"pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl
cmds of agp_ioctl() and passed to agpioc_bind_wrap().  As said in the
comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
and it is not checked at all in case of AGPIOC_UNBIND.  As a result, user
with sufficient privileges (usually "video" group) may generate either
local DoS or privilege escalation."


https://lkml.org/lkml/2011/4/14/294
https://lkml.org/lkml/2011/4/19/400

"page_count is copied from userspace.  agp_allocate_memory() tries to
check whether this number is too big, but doesn't take into account the
wrap case.  Also agp_create_user_memory() doesn't check whether
alloc_size is calculated from num_agp_pages variable without overflow.
This may lead to allocation of too small buffer with following buffer
overflow.

Another problem in agp code is not addressed in the patch - kernel memory
exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls).  It is not checked
whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()).
Each allocation is limited to 16KB, though, there is no per-process limit.
This might lead to OOM situation, which is not even solved in case of the
caller death by OOM killer - the memory is allocated for another (faked)
process."
Comment 1 Sebastian Krahmer 2011-04-26 07:05:30 UTC
> cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the
> comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
> and it is not checked at all in case of AGPIOC_UNBIND. As a result,
> user
> with sufficient privileges (usually "video" group) may generate either
> local DoS or privilege escalation."

Please use CVE-2011-1745.

>
>
> https://lkml.org/lkml/2011/4/14/294
> https://lkml.org/lkml/2011/4/19/400
>
> "page_count is copied from userspace. agp_allocate_memory() tries to
> check whether this number is too big, but doesn't take into account
> the
> wrap case. Also agp_create_user_memory() doesn't check whether
> alloc_size is calculated from num_agp_pages variable without overflow.
> This may lead to allocation of too small buffer with following buffer
> overflow.

Please use CVE-2011-1746.

> Another problem in agp code is not addressed in the patch - kernel
> memory
> exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not
> checked
> whether requested pid is a pid of the caller (no check in
> agpioc_reserve_wrap()).
> Each allocation is limited to 16KB, though, there is no per-process
> limit.
> This might lead to OOM situation, which is not even solved in case of
> the
> caller death by OOM killer - the memory is allocated for another
> (faked)
> process."

Please use CVE-2011-1747.

Thanks,
--
Petr Matousek / Red Hat Security Response Team
Comment 2 Sebastian Krahmer 2011-04-26 07:06:47 UTC
Also via OSS-sec:

> I am a bit confused.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=698999 references
> https://lkml.org/lkml/2011/4/14/294
>
>  which is assigned to CVE-2011-1746 not CVE-2011-1747.
>
> is there a patch for CVE-2011-1747?

No.  The problem of CVE-2011-1747 is mentioned in the patch fixing
CVE-2011-1746 because the patch tries to fix a similar problem - OOM.

CVE-2011-1747 is not fixed yet.
Comment 3 Thomas Biege 2011-05-03 14:12:52 UTC
p5->p3 mass change
Comment 5 Marcus Meissner 2011-06-26 21:46:15 UTC
CVE-2011-1746 and CVE-2011-1745 were fixed in 2.6.32.40 for sle11 sp1.
Comment 6 Michal Hocko 2011-06-27 14:49:03 UTC
(In reply to comment #1)
> > cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the
> > comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
> > and it is not checked at all in case of AGPIOC_UNBIND. As a result,
> > user
> > with sufficient privileges (usually "video" group) may generate either
> > local DoS or privilege escalation."
> 
> Please use CVE-2011-1745.

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=194b3da873fd334ef183806db751473512af29ce


> > https://lkml.org/lkml/2011/4/14/294
> > https://lkml.org/lkml/2011/4/19/400
> >
> > "page_count is copied from userspace. agp_allocate_memory() tries to
> > check whether this number is too big, but doesn't take into account
> > the
> > wrap case. Also agp_create_user_memory() doesn't check whether
> > alloc_size is calculated from num_agp_pages variable without overflow.
> > This may lead to allocation of too small buffer with following buffer
> > overflow.
> 
> Please use CVE-2011-1746.

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b522f02184b413955f3bc952e3776ce41edc6355


> > Another problem in agp code is not addressed in the patch - kernel
> > memory
> > exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not
> > checked
> > whether requested pid is a pid of the caller (no check in
> > agpioc_reserve_wrap()).
> > Each allocation is limited to 16KB, though, there is no per-process
> > limit.
> > This might lead to OOM situation, which is not even solved in case of
> > the
> > caller death by OOM killer - the memory is allocated for another
> > (faked)
> > process."
> 
> Please use CVE-2011-1747.

Still nothing in the Linus tree AFAICS.
Comment 7 Michal Hocko 2011-06-27 15:32:48 UTC
Fix for CVE-2011-1745 pushed into SLES9-SP3-TD and SLES10-SP3-TD branches.

CVE-2011-1746 doesn't seem to affect SLES10-SP3-TD branch (agp_create_user_memory has been introduced by a030ce44 in 2.6.21).
Comment 10 Egbert Eich 2011-07-20 14:23:05 UTC
CVE-2011-1745 (along with  CVE-2011-2022) and CVE-2011-1746 are fixed in all relevant kernel branches now.
For CVE-2011-1747 I still need to locate the patch.
Comment 11 Egbert Eich 2011-07-20 14:24:10 UTC
Assigning to the security team. When done please assign it back to me for the CVE-2011-1747 issue.
Comment 12 Marcus Meissner 2011-07-25 07:47:17 UTC
A kernel update for SUSE Linux Enterprise 11 SP1 was just released that contains/mentions this fix. The release version is 2.6.32.43-0.4.1.
Comment 13 Swamp Workflow Management 2011-07-25 10:07:47 UTC
Update released for: btrfs-kmp-default, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-xen, hyper-v-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra
Products:
SLE-DEBUGINFO 11-SP1 (x86_64)
SLE-DESKTOP 11-SP1 (x86_64)
SLE-HAE 11-SP1 (x86_64)
SLE-SERVER 11-SP1 (x86_64)
SLES4VMWARE 11-SP1 (x86_64)
Comment 14 Swamp Workflow Management 2011-07-25 10:26:06 UTC
Update released for: btrfs-kmp-default, btrfs-kmp-ppc64, cluster-network-kmp-default, cluster-network-kmp-ppc64, ext4dev-kmp-default, ext4dev-kmp-ppc64, gfs2-kmp-default, gfs2-kmp-ppc64, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-devel, kernel-ppc64-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-extra
Products:
SLE-DEBUGINFO 11-SP1 (ppc64)
SLE-HAE 11-SP1 (ppc64)
SLE-SERVER 11-SP1 (ppc64)
Comment 15 Swamp Workflow Management 2011-07-25 10:35:22 UTC
Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-man
Products:
SLE-DEBUGINFO 11-SP1 (s390x)
SLE-HAE 11-SP1 (s390x)
SLE-SERVER 11-SP1 (s390x)
Comment 16 Swamp Workflow Management 2011-07-25 10:45:03 UTC
Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra
Products:
SLE-DEBUGINFO 11-SP1 (ia64)
SLE-HAE 11-SP1 (ia64)
SLE-SERVER 11-SP1 (ia64)
Comment 17 Swamp Workflow Management 2011-07-25 10:59:27 UTC
Update released for: btrfs-kmp-default, btrfs-kmp-pae, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-pae, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-xen, hyper-v-kmp-default, hyper-v-kmp-pae, kernel-default, kernel-default-base, kernel-default-devel, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-devel, kernel-ec2-extra, kernel-pae, kernel-pae-base, kernel-pae-devel, kernel-pae-extra, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-devel, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-devel, kernel-xen-extra
Products:
SLE-DEBUGINFO 11-SP1 (i386)
SLE-DESKTOP 11-SP1 (i386)
SLE-HAE 11-SP1 (i386)
SLE-SERVER 11-SP1 (i386)
SLES4VMWARE 11-SP1 (i386)
Comment 18 Swamp Workflow Management 2011-07-25 15:12:48 UTC
Update released for: kernel-default-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (x86_64)
Comment 19 Swamp Workflow Management 2011-07-25 16:13:19 UTC
Update released for: kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (ia64)
Comment 20 Bernhard Wiedemann 2011-07-25 17:00:31 UTC
This is an autogenerated message for OBS integration:
This bug (689797) was mentioned in
https://build.opensuse.org/request/show/76992 11.4 / kernel-source
Comment 21 Swamp Workflow Management 2011-07-25 17:13:31 UTC
Update released for: kernel-default-extra, kernel-ppc64-extra
Products:
SLE-SERVER 11-EXTRA (ppc64)
Comment 22 Swamp Workflow Management 2011-07-25 18:14:31 UTC
Update released for: kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (s390x)
Comment 23 Swamp Workflow Management 2011-07-25 19:15:27 UTC
Update released for: kernel-default-extra, kernel-pae-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (i386)
Comment 24 Marcus Meissner 2011-07-27 12:12:11 UTC
i noticed the patches missing in openSUSE-11.3 branch
Comment 25 Egbert Eich 2011-07-27 19:52:47 UTC
Patch is already in the openSUSE 11.3 update kernel thru patches.kernel.org/patch-2.6.34.9-10.
Comment 26 Swamp Workflow Management 2011-08-01 11:35:38 UTC
The SWAMPID for this issue is 42440.
This issue was rated as important.
Please submit fixed packages until 2011-08-08.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 27 Swamp Workflow Management 2011-08-02 08:00:29 UTC
Update released for: kernel-debug, kernel-debug-base, kernel-debug-base-debuginfo, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-default, kernel-default-base, kernel-default-base-debuginfo, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-desktop, kernel-desktop-base, kernel-desktop-base-debuginfo, kernel-desktop-debuginfo, kernel-desktop-debugsource, kernel-desktop-devel, kernel-desktop-devel-debuginfo, kernel-devel, kernel-docs, kernel-ec2, kernel-ec2-base, kernel-ec2-base-debuginfo, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-ec2-extra-debuginfo, kernel-pae, kernel-pae-base, kernel-pae-base-debuginfo, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-base-debuginfo, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-vanilla, kernel-vanilla-base, kernel-vanilla-base-debuginfo, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-vanilla-devel, kernel-vanilla-devel-debuginfo, kernel-vmi, kernel-vmi-base, kernel-vmi-base-debuginfo, kernel-vmi-debuginfo, kernel-vmi-debugsource, kernel-vmi-devel, kernel-vmi-devel-debuginfo, kernel-xen, kernel-xen-base, kernel-xen-base-debuginfo, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, preload-kmp-default, preload-kmp-desktop
Products:
openSUSE 11.4 (debug, i586, x86_64)
Comment 28 Marcus Meissner 2011-08-05 14:04:26 UTC
CVE-2011-1747 still missing, but reassign to us as Egbert cannot do much there.
Comment 29 Marcus Meissner 2011-08-12 09:28:37 UTC
We just released a kernel update for SUSE Linux Enterprise 10 SP4 that
mentions/fixes this bug. The released kernel version is 2.6.16.60-0.89.1.
Comment 30 Swamp Workflow Management 2011-08-12 10:58:38 UTC
Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ppc)
SLE-SDK 10-SP4 (ppc)
SLE-SERVER 10-SP4 (ppc)
Comment 31 Swamp Workflow Management 2011-08-12 11:24:07 UTC
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (x86_64)
SLE-DESKTOP 10-SP4 (x86_64)
SLE-SDK 10-SP4 (x86_64)
SLE-SERVER 10-SP4 (x86_64)
Comment 32 Swamp Workflow Management 2011-08-12 11:37:13 UTC
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ia64)
SLE-SDK 10-SP4 (ia64)
SLE-SERVER 10-SP4 (ia64)
Comment 33 Swamp Workflow Management 2011-08-12 11:43:21 UTC
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (s390x)
SLE-SERVER 10-SP4 (s390x)
Comment 34 Swamp Workflow Management 2011-08-12 12:29:50 UTC
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (i386)
SLE-DESKTOP 10-SP4 (i386)
SLE-SDK 10-SP4 (i386)
SLE-SERVER 10-SP4 (i386)
Comment 35 Marcus Meissner 2011-09-20 14:36:18 UTC
We just released a kernel update for SUSE Linux Enterprise 10 SP3 that
mentions/fixes this bug. The released kernel version is 2.6.16.60-0.83.2.
Comment 36 Swamp Workflow Management 2011-09-20 16:13:55 UTC
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (ia64)
SLE-SDK 10-SP3 (ia64)
SLE-SERVER 10-SP3 (ia64)
Comment 37 Swamp Workflow Management 2011-09-20 17:14:39 UTC
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (i386)
SLE-SDK 10-SP3 (i386)
SLE-SERVER 10-SP3 (i386)
Comment 38 Swamp Workflow Management 2011-09-20 17:28:31 UTC
Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (ppc)
SLE-SDK 10-SP3 (ppc)
SLE-SERVER 10-SP3 (ppc)
Comment 39 Swamp Workflow Management 2011-09-20 18:07:05 UTC
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SDK 10-SP3 (x86_64)
SLE-SERVER 10-SP3 (x86_64)
Comment 40 Swamp Workflow Management 2011-09-20 18:14:10 UTC
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (s390x)
SLE-SERVER 10-SP3 (s390x)
Comment 41 Michal Hocko 2011-11-10 09:43:33 UTC
Are there any news about CVE-2011-1747?
Comment 42 Swamp Workflow Management 2011-11-17 14:12:24 UTC
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 43 Swamp Workflow Management 2012-01-24 13:15:43 UTC
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-SERVER 10-SP2-LTSS (s390x)
Comment 44 Swamp Workflow Management 2012-01-24 13:22:57 UTC
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-SERVER 10-SP2-LTSS (i386)
Comment 45 Swamp Workflow Management 2012-01-24 13:56:04 UTC
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-SERVER 10-SP2-LTSS (x86_64)
Comment 46 Michal Hocko 2013-04-25 13:10:46 UTC
(In reply to comment #10)
[...]
> For CVE-2011-1747 I still need to locate the patch.

Any news about this one, Egbert?
Comment 47 Marcus Meissner 2014-01-07 14:23:13 UTC
Reviewed, might still be unfixed.

redhat writes in https://bugzilla.redhat.com/show_bug.cgi?id=698999 that it requies CAP_SYS_RAWIO, although I do not specifcally see that in the agp_ioctl() function.


Lets close it as mostly fixed.