|
|
Subscribe / Log in / New account

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2011-1494 CVE-2011-1495 CVE-2011-1745 CVE-2011-1746 CVE-2011-1079
Created:May 10, 2011 Updated:September 13, 2011
Description: From the Red Hat bugzilla:

At two points in handling device ioctls via /dev/mpt2ctl, user-supplied length values are used to copy data from userspace into heap buffers without bounds checking, allowing controllable heap corruption and subsequently privilege escalation. (CVE-2011-1494, CVE-2011-1495)

Struct ca is copied from userspace. It is not checked whether the "device" field is NULL terminated. This potentially leads to BUG() inside of alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack. (CVE-2011-1079)

pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND, and it is not checked at all in case of AGPIOC_UNBIND. As a result, user with sufficient privileges (usually "video" group) may generate either local DoS or privilege escalation. (CVE-2011-1745)

page_count is copied from userspace. agp_allocate_memory() tries to check whether this number is too big, but doesn't take into account the wrap case. Also agp_create_user_memory() doesn't check whether alloc_size is calculated from num_agp_pages variable without overflow. This may lead to allocation of too small buffer with following buffer overflow. (CVE-2011-1746)

Alerts:
SUSE SUSE-SU-2015:0812-1 kernel 2015-04-30
Oracle ELSA-2013-1645 kernel 2013-11-26
Ubuntu USN-1256-1 linux-lts-backport-natty 2011-11-09
Scientific Linux SL-kern-20111005 kernel 2011-10-05
Red Hat RHSA-2011:1350-01 kernel 2011-10-05
SUSE SUSE-SU-2011:1058-1 kernel 2011-09-21
Ubuntu USN-1212-1 linux-ti-omap4 2011-09-21
SUSE SUSE-SA:2011:040 kernel 2011-09-20
Ubuntu USN-1204-1 linux-fsl-imx51 2011-09-13
Ubuntu USN-1202-1 linux-ti-omap4 2011-09-13
Red Hat RHSA-2011:1253-01 kernel-rt 2011-09-12
Ubuntu USN-1189-1 kernel 2011-08-19
SUSE SUSE-SU-2011:0899-1 kernel 2011-08-12
SUSE SUSE-SA:2011:034 kernel 2011-08-12
Ubuntu USN-1187-1 kernel 2011-08-09
openSUSE openSUSE-SU-2011:0860-1 kernel 2011-08-02
Scientific Linux SL-kern-20110715 kernel 2011-07-15
SUSE SUSE-SU-2011:0832-1 kernel 2011-07-25
SUSE SUSE-SA:2011:031 kernel 2011-07-25
CentOS CESA-2011:0927 kernel 2011-07-18
Ubuntu USN-1170-1 linux 2011-07-15
Ubuntu USN-1168-1 linux 2011-07-15
Red Hat RHSA-2011:0927-01 kernel 2011-07-15
Ubuntu USN-1167-1 linux 2011-07-13
Ubuntu USN-1161-1 linux-ec2 2011-07-13
Ubuntu USN-1159-1 linux-mvl-dove 2011-07-13
Ubuntu USN-1162-1 linux-mvl-dove 2011-06-29
Ubuntu USN-1164-1 linux-fsl-imx51 2011-07-06
Ubuntu USN-1183-1 kernel 2011-08-03
Ubuntu USN-1160-1 kernel 2011-06-28
Red Hat RHSA-2011:0883-01 kernel 2011-06-21
Fedora FEDORA-2011-6447 kernel 2011-05-04
Debian DSA-2264-1 linux-2.6 2011-06-18
Scientific Linux SL-kern-20110519 kernel 2011-05-19
CentOS CESA-2011:0833 kernel 2011-05-31
Red Hat RHSA-2011:0833-01 kernel 2011-05-31
Debian DSA-2240-1 linux-2.6 2011-05-24
Red Hat RHSA-2011:0500-01 kernel-rt 2011-05-10
Red Hat RHSA-2011:0498-01 kernel 2011-05-10
Red Hat RHSA-2011:0542-01 kernel 2011-05-19
Fedora FEDORA-2011-6541 kernel 2011-05-05
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds