CVE-2011-1746

Bug #791918 reported by Andy Whitcroft on 2011-06-02
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Low
Unassigned
Hardy
Low
Andy Whitcroft
Lucid
Low
Unassigned
Maverick
Low
Andy Whitcroft
Natty
Low
Unassigned
Oneiric
Low
Unassigned
linux-ec2 (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Lucid
Low
Unassigned
Maverick
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
linux-fsl-imx51 (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Lucid
Low
Unassigned
Maverick
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
linux-lts-backport-maverick (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Lucid
Low
Unassigned
Maverick
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
linux-lts-backport-natty (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Lucid
Low
Unassigned
Maverick
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
linux-mvl-dove (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Lucid
Low
Unassigned
Maverick
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
linux-ti-omap4 (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Lucid
Low
Unassigned
Maverick
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned

Bug Description

Multiple integer overflows in the (1) agp_allocate_memory and (2) agp_create_user_memory functions in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 allow local users to trigger buffer overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via vectors related to calls that specify a large number of memory pages.

Break-Fix: - b522f02184b413955f3bc952e3776ce41edc6355

Andy Whitcroft (apw) on 2011-06-02
tags: added: kernel-cve-tracking-bug
security vulnerability: no → yes
Andy Whitcroft (apw) on 2011-06-02
Changed in linux (Ubuntu Hardy):
assignee: nobody → Andy Whitcroft (apw)
status: New → In Progress
Changed in linux (Ubuntu Lucid):
status: New → Fix Released
Changed in linux (Ubuntu Maverick):
assignee: nobody → Andy Whitcroft (apw)
status: New → Fix Released
status: Fix Released → In Progress
Changed in linux (Ubuntu Natty):
status: New → Fix Released
Changed in linux (Ubuntu Oneiric):
status: New → Invalid
Andy Whitcroft (apw) on 2011-06-02
description: updated
Andy Whitcroft (apw) on 2011-07-05
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Maverick):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Maverick):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Natty):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Natty):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Natty):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Hardy):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Hardy):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Hardy):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Hardy):
status: New → Invalid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.24-29.91

---------------
linux (2.6.24-29.91) hardy-proposed; urgency=low

  [Steve Conklin]

  * Release Tracking Bug
    - LP: #801636

  [Andy Whitcroft]

  * custom binaries need VERSION_SIGNATURE updated during prepare
    - LP: #794698

  [Stefan Bader]

  * (config) Disable COMPAT_VDSO for i386 Xen kernels
    - LP: #794715
  * XEN: Add yield points to blktap and blkback
    - LP: #791212
    - CVE-2010-4247
  * xen: Fix memory corruption caused by double free
    - LP: #705562

  [Upstream Kernel Changes]

  * agp: fix arbitrary kernel memory writes, CVE-1011-2022
    - LP: #788684
    - CVE-1011-2022
  * agp: fix OOM and buffer overflow
    - LP: #791918
    - CVE-2011-1746
  * tty: icount changeover for other main devices, CVE-2010-4076,
    CVE-2010-4077
    - LP: #794034
    - CVE-2010-4077
  * fs/partitions/efi.c: corrupted GUID partition tables can cause kernel
    oops
    - LP: #795418
    - CVE-2011-1577
  * Fix corrupted OSF partition table parsing
    - LP: #796606
    - CVE-2011-1163
  * proc: avoid information leaks to non-privileged processes
    - LP: #799906
    - CVE-2011-0726
  * proc: protect mm start_code/end_code in /proc/pid/stat
    - LP: #799906
    - CVE-2011-0726
  * sctp: Fix a race between ICMP protocol unreachable and connect()
    - LP: #799828
    - CVE-2010-4526
  * xen: blkback, blktap: Fix potential resource leak
    - LP: #800254
 -- Steve Conklin <email address hidden> Fri, 24 Jun 2011 10:59:11 -0500

Changed in linux (Ubuntu Hardy):
status: In Progress → Fix Released
Kees Cook (kees) on 2011-08-02
Changed in linux-mvl-dove (Ubuntu Lucid):
status: New → Fix Released
Changed in linux-mvl-dove (Ubuntu Maverick):
status: New → Fix Released
Changed in linux-lts-backport-maverick (Ubuntu Lucid):
status: New → Fix Committed
Changed in linux (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in linux-ti-omap4 (Ubuntu Oneiric):
status: New → Fix Committed
Changed in linux-ti-omap4 (Ubuntu Maverick):
status: New → Fix Committed
Changed in linux-ti-omap4 (Ubuntu Natty):
status: New → Fix Committed
Changed in linux-fsl-imx51 (Ubuntu Lucid):
status: New → Fix Released
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.35-30.56

---------------
linux (2.6.35-30.56) maverick-proposed; urgency=low

  [Herton R. Krzesinski]

  * Release Tracking Bug
    - LP: #808934

  [ Herton Ronaldo Krzesinski ]

  * Revert "SAUCE: mmc: Enable MMC card reader for RICOH [1180:e823]"

  [ Upstream Kernel Changes ]

  * Revert "x86: Flush TLB if PGD entry is changed in i386 PAE mode"
    - LP: #805209

linux (2.6.35-30.55) maverick-proposed; urgency=low

  [Steve Conklin]

  * Release Tracking Bug
    - LP: #801690

  [ Jeremy Kerr ]

  * SAUCE: cx23885: Fix argument to videobuf_dma_unmap
    - LP: #800527

  [ Manoj Iyer ]

  * SAUCE: mmc: Enable MMC card reader for RICOH [1180:e823]
    - LP: #790754

  [ Upstream Kernel Changes ]

  * agp: fix OOM and buffer overflow
    - LP: #791918
    - CVE-2011-1746
  * tty: icount changeover for other main devices, CVE-2010-4076,
    CVE-2010-4077
    - LP: #720189
    - CVE-2010-4077
  * fs/partitions/efi.c: corrupted GUID partition tables can cause kernel
    oops
    - LP: #795418
    - CVE-2011-1577
  * Fix corrupted OSF partition table parsing
    - LP: #796606
    - CVE-2011-1163
  * can: Add missing socket check in can/bcm release.
    - LP: #796502
    - CVE-2011-1598
  * nfs4: Ensure that ACL pages sent over NFS were not allocated from the
    slab (v3) CVE-2011-1090
    - LP: #800775
    - CVE-2011-1090
 -- Herton Ronaldo Krzesinski <email address hidden> Mon, 11 Jul 2011 15:17:32 -0300

Changed in linux (Ubuntu Maverick):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (45.4 KiB)

This bug was fixed in the package linux-lts-backport-maverick - 2.6.35-30.56~lucid1

---------------
linux-lts-backport-maverick (2.6.35-30.56~lucid1) lucid-proposed; urgency=low

  [Herton R. Krzesinski]

  * Release Tracking Bug
    - LP: #811215

  [ Herton Ronaldo Krzesinski ]

  * Revert "SAUCE: mmc: Enable MMC card reader for RICOH [1180:e823]"

  [ Upstream Kernel Changes ]

  * Revert "x86: Flush TLB if PGD entry is changed in i386 PAE mode"
    - LP: #805209

linux (2.6.35-30.55) maverick-proposed; urgency=low

  [Steve Conklin]

  * Release Tracking Bug
    - LP: #801690

  [ Jeremy Kerr ]

  * SAUCE: cx23885: Fix argument to videobuf_dma_unmap
    - LP: #800527

  [ Manoj Iyer ]

  * SAUCE: mmc: Enable MMC card reader for RICOH [1180:e823]
    - LP: #790754

  [ Upstream Kernel Changes ]

  * agp: fix OOM and buffer overflow
    - LP: #791918
    - CVE-2011-1746
  * tty: icount changeover for other main devices, CVE-2010-4076,
    CVE-2010-4077
    - LP: #720189
    - CVE-2010-4077
  * fs/partitions/efi.c: corrupted GUID partition tables can cause kernel
    oops
    - LP: #795418
    - CVE-2011-1577
  * Fix corrupted OSF partition table parsing
    - LP: #796606
    - CVE-2011-1163
  * can: Add missing socket check in can/bcm release.
    - LP: #796502
    - CVE-2011-1598
  * nfs4: Ensure that ACL pages sent over NFS were not allocated from the
    slab (v3) CVE-2011-1090
    - LP: #800775
    - CVE-2011-1090

linux (2.6.35-30.54) maverick-proposed; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #794114

  [ Upstream Kernel Changes ]

  * Revert "xhci: Fix full speed bInterval encoding."
  * Revert "USB: xhci - also free streams when resetting devices"
  * Revert "USB: xhci - fix math in xhci_get_endpoint_interval()"
  * Revert "USB: xhci - fix unsafe macro definitions"

linux (2.6.35-30.53) maverick-proposed; urgency=low

  [ Upstream Kernel Changes ]

  * xhci: Fix full speed bInterval encoding.
    - LP: #792959

linux (2.6.35-30.52) maverick-proposed; urgency=low

  [ Herton R. Krzesinski ]

  * Release Tracking Bug
    - LP: #790653

  [ Stefan Bader ]

  * Include nls_iso8859-1 for virtual images
    - LP: #732046

  [ Thomas Schlichter ]

  * SAUCE: vesafb: mtrr module parameter is uint, not bool
    - LP: #778043

  [ Tim Gardner ]

  * [Config] Add cachefiles.ko to virtual flavour
    - LP: #770430

  [ Upstream Kernel Changes ]

  * Revert "intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot
    hang"
    - LP: #772560
  * Revert "TPM: Long default timeout fix"
    - LP: #772560
  * Revert "tpm_tis: Use timeouts returned from TPM"
    - LP: #772560
  * Revert "xen: set max_pfn_mapped to the last pfn mapped"
  * CAN: Use inode instead of kernel address for /proc file, CVE-2010-4565
    - LP: #765007
    - CVE-2010-4565
  * xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1,
    CVE-2011-0711
    - LP: #767740
    - CVE-2011-0711
  * Treat writes as new when holes span across page boundaries,
    CVE-2011-0463
    - LP: #770483
    - CVE-2011-0463
  * fs/partitions/ldm.c: fix oops caused by corrupted partition table,
    CVE-2011-1017
    - LP: #771382
    - CVE-2011-1017
  * qla2xxx:...

Changed in linux-lts-backport-maverick (Ubuntu Lucid):
status: Fix Committed → Fix Released
Kees Cook (kees) on 2011-08-10
Changed in linux-ec2 (Ubuntu Lucid):
status: New → Fix Released
Changed in linux-ec2 (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Hardy):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Maverick):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Natty):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Lucid):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Hardy):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Maverick):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Natty):
status: New → Invalid
description: updated
Kees Cook (kees) on 2011-08-16
Changed in linux-ec2 (Ubuntu Lucid):
importance: Undecided → Low
Changed in linux-ec2 (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux-ec2 (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux-ec2 (Ubuntu Maverick):
importance: Undecided → Low
Changed in linux-ec2 (Ubuntu Natty):
importance: Undecided → Low
Changed in linux-lts-backport-natty (Ubuntu Lucid):
importance: Undecided → Low
Changed in linux-lts-backport-natty (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux-lts-backport-natty (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux-lts-backport-natty (Ubuntu Maverick):
importance: Undecided → Low
Changed in linux-lts-backport-natty (Ubuntu Natty):
importance: Undecided → Low
Changed in linux-mvl-dove (Ubuntu Lucid):
importance: Undecided → Low
Changed in linux-mvl-dove (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux-mvl-dove (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux-mvl-dove (Ubuntu Maverick):
importance: Undecided → Low
Changed in linux-mvl-dove (Ubuntu Natty):
importance: Undecided → Low
Changed in linux-lts-backport-maverick (Ubuntu Lucid):
importance: Undecided → Low
Changed in linux-lts-backport-maverick (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux-lts-backport-maverick (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux-lts-backport-maverick (Ubuntu Maverick):
importance: Undecided → Low
Changed in linux-lts-backport-maverick (Ubuntu Natty):
importance: Undecided → Low
Changed in linux (Ubuntu Lucid):
importance: Undecided → Low
Changed in linux (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux (Ubuntu Maverick):
importance: Undecided → Low
Changed in linux (Ubuntu Natty):
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Lucid):
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Maverick):
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Natty):
importance: Undecided → Low
Changed in linux-fsl-imx51 (Ubuntu Lucid):
importance: Undecided → Low
Changed in linux-fsl-imx51 (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux-fsl-imx51 (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux-fsl-imx51 (Ubuntu Maverick):
importance: Undecided → Low
Changed in linux-fsl-imx51 (Ubuntu Natty):
importance: Undecided → Low
Kees Cook (kees) on 2011-09-13
Changed in linux-ti-omap4 (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in linux-ti-omap4 (Ubuntu Natty):
status: Fix Committed → Fix Released
Paolo Pisati (p-pisati) on 2012-09-24
Changed in linux-ti-omap4 (Ubuntu Oneiric):
status: Fix Committed → Invalid
Changed in linux-ti-omap4 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers