** Changed in: linux-mvl-dove (Ubuntu Lucid)
Status: In Progress => Fix Released
** Changed in: linux-mvl-dove (Ubuntu Maverick)
Status: New => Fix Released
** Changed in: linux-lts-backport-maverick (Ubuntu Lucid)
Status: New => Fix Committed
** Changed in: linux-ti-omap4 (Ubuntu Oneiric)
Status: In Progress => Fix Committed
** Changed in: linux-ti-omap4 (Ubuntu Maverick)
Status: In Progress => Fix Committed
** Changed in: linux-ti-omap4 (Ubuntu Natty)
Status: In Progress => Fix Committed
** Description changed:
- Fixed by:
+ The agp_generic_remove_memory function in drivers/char/agp/generic.c in
+ the Linux kernel before 2.6.38.5 does not validate a certain start
+ parameter, which allows local users to gain privileges or cause a denial
+ of service (system crash) via a crafted AGPIOC_UNBIND agp_ioctl ioctl
+ call, a different vulnerability than CVE-2011-1745.
- commit 194b3da873fd334ef183806db751473512af29ce
- Author: Vasiliy Kulikov <[email protected]>
- Date: Thu Apr 14 20:55:16 2011 +0400
-
- agp: fix arbitrary kernel memory writes
-
- pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl
- cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the
- comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
- and it is not checked at all in case of AGPIOC_UNBIND. As a result, user
- with sufficient privileges (usually "video" group) may generate either
- local DoS or privilege escalation.
-
- Signed-off-by: Vasiliy Kulikov <[email protected]>
- Signed-off-by: Dave Airlie <[email protected]>
+ Fixed-by: 194b3da873fd334ef183806db751473512af29ce
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/788684
Title:
CVE-2011-2022
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/788684/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
