diff options
| author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-06-20 13:54:15 -0400 |
|---|---|---|
| committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-06-20 13:54:15 -0400 |
| commit | 59f6536f6e554a08451d5f0f3e2b8c35e3f76e89 (patch) | |
| tree | 8dcca07204b7eea194926924ebb38ba7158ce9d0 | |
| parent | ed153f5c7a42d2022fc7990bd5bce294970e720a (diff) | |
| download | longterm-queue-2.6.34-59f6536f6e554a08451d5f0f3e2b8c35e3f76e89.tar.gz | |
add agp mem write CVE patch
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
| -rw-r--r-- | queue/agp-fix-arbitrary-kernel-memory-writes.patch | 56 | ||||
| -rw-r--r-- | queue/series | 1 |
2 files changed, 57 insertions, 0 deletions
diff --git a/queue/agp-fix-arbitrary-kernel-memory-writes.patch b/queue/agp-fix-arbitrary-kernel-memory-writes.patch new file mode 100644 index 0000000..8d71bd1 --- /dev/null +++ b/queue/agp-fix-arbitrary-kernel-memory-writes.patch @@ -0,0 +1,56 @@ +From 4331463bb18c8abce20bd0b2f5d76f2b109c3c12 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov <segoon@openwall.com> +Date: Thu, 14 Apr 2011 20:55:16 +0400 +Subject: [PATCH] agp: fix arbitrary kernel memory writes + +commit 194b3da873fd334ef183806db751473512af29ce upstream. + +pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl +cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the +comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND, +and it is not checked at all in case of AGPIOC_UNBIND. As a result, user +with sufficient privileges (usually "video" group) may generate either +local DoS or privilege escalation. + +Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> +Signed-off-by: Dave Airlie <airlied@redhat.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c +index fb86708..94c0321 100644 +--- a/drivers/char/agp/generic.c ++++ b/drivers/char/agp/generic.c +@@ -1118,14 +1118,19 @@ int agp_generic_insert_memory(struct agp_memory * mem, off_t pg_start, int type) + if (type != mem->type) + return -EINVAL; + ++ num_entries = agp_num_entries(); ++ if (((pg_start + mem->page_count) > num_entries) || ++ ((pg_start + mem->page_count) < pg_start)) ++ return -EINVAL; ++ + mask_type = bridge->driver->agp_type_to_mask_type(bridge, type); + if (mask_type != 0) { + /* The generic routines know nothing of memory types */ + return -EINVAL; + } + +- /* AK: could wrap */ +- if ((pg_start + mem->page_count) > num_entries) ++ if (((pg_start + mem->page_count) > num_entries) || ++ ((pg_start + mem->page_count) < pg_start)) + return -EINVAL; + + j = pg_start; +@@ -1159,7 +1164,7 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type) + { + size_t i; + struct agp_bridge_data *bridge; +- int mask_type; ++ int mask_type, num_entries; + + bridge = mem->bridge; + if (!bridge) +-- +1.7.4.4 + diff --git a/queue/series b/queue/series index 17a0bad..d5a05ca 100644 --- a/queue/series +++ b/queue/series @@ -236,6 +236,7 @@ PCI-return-correct-value-when-writing-to-the-reset-a.patch # Content taken from v2.6.32.40 mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch fs-partitions-ldm.c-fix-oops-caused-by-corrupted-par.patch +agp-fix-arbitrary-kernel-memory-writes.patch # Content taken from v2.6.35.11 arch-x86-oprofile-op_model_amd.c-Perform-initialisat.patch |