** Description changed: - Fixed By: + The agp subsystem in the Linux kernel 2.6.38.5 and earlier does not + properly restrict memory allocation by the (1) AGPIOC_RESERVE and (2) + AGPIOC_ALLOCATE ioctls, which allows local users to cause a denial of + service (memory consumption) by making many calls to these ioctls. - commit 464221eb38047bb9b3268ae8c28fea174442559d - Author: Vasiliy Kulikov <[email protected]> - Date: Thu Apr 14 20:55:19 2011 +0400 - - agp: fix OOM and buffer overflow - - page_count is copied from userspace. agp_allocate_memory() tries to - check whether this number is too big, but doesn't take into account the - wrap case. Also agp_create_user_memory() doesn't check whether - alloc_size is calculated from num_agp_pages variable without overflow. - This may lead to allocation of too small buffer with following buffer - overflow. - - Another problem in agp code is not addressed in the patch - kernel memory - exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked - whether requested pid is a pid of the caller (no check in agpioc_reserve_wra - Each allocation is limited to 16KB, though, there is no per-process limit. - This might lead to OOM situation, which is not even solved in case of the - caller death by OOM killer - the memory is allocated for another (faked) pro - - Signed-off-by: Vasiliy Kulikov <[email protected]> - Signed-off-by: Dave Airlie <[email protected]> - - Fix has arrived in Oneiric, Natty, and Lucid via mainline/upstream - stable. + Fixed-by: 464221eb38047bb9b3268ae8c28fea174442559d
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/788700 Title: CVE-2011-1747 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/788700/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
