The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Linux kernel: memory corruption via AGPgart

Synthesis of the vulnerability 

A local attacker can use two vulnerabilities of AGPgart, in order to corrupt the memory, to create a denial of service or to elevate his privileges.
Vulnerable systems: Debian, Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity of this threat: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 21/04/2011.
Références of this weakness: BID-47534, BID-47535, BID-47843, CVE-2011-1745, CVE-2011-1746, CVE-2011-1747, CVE-2011-2022, DSA-2240-1, DSA-2264-1, FEDORA-2011-6447, FEDORA-2011-6541, openSUSE-SU-2011:0860-1, RHSA-2011:0927-01, RHSA-2011:1253-01, RHSA-2011:1350-01, SUSE-SA:2011:031, SUSE-SA:2011:034, SUSE-SA:2011:040, SUSE-SU-2011:0832-1, SUSE-SU-2011:0899-1, SUSE-SU-2011:0928-1, SUSE-SU-2011:1058-1, VIGILANCE-VUL-10592.

Description of the vulnerability 

The AGPgart (Graphics Address Remapping Table) module is used by video devices with low memory resources. It uses /dev/agpgart, and it is impacted by two vulnerabilities.

The AGPIOC_BIND and AGPIOC_UNBIND ioctl call the agp_generic_insert_memory() and agp_generic_remove_memory() functions. An attacker can use them to write in kernel memory. [severity:2/4; BID-47534, BID-47843, CVE-2011-1745, CVE-2011-2022]

The AGPIOC_ALLOCATE ioctl calls the agp_create_user_memory() and agp_allocate_memory() functions. An attacker can use them to create a buffer overflow. [severity:2/4; BID-47535, CVE-2011-1746]

An attacker can use the AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls in order to allocate memory area which will never be freed. [severity:1/4; CVE-2011-1747]

A local attacker can therefore use two vulnerabilities of AGPgart, in order to corrupt the memory, to create a denial of service or to elevate his privileges.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat impacts software or systems such as Debian, Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.

Our Vigil@nce team determined that the severity of this computer vulnerability alert is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

This bulletin is about 3 vulnerabilities.

An attacker with a expert ability can exploit this cybersecurity weakness.

Solutions for this threat 

Linux kernel: version 2.6.39.
The version 2.6.39 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: version 2.6.38.5.
The version 2.6.38.5 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: version 2.6.33.13.
The version 2.6.33.13 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: version 2.6.32.40.
The version 2.6.32.50 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: version 2.6.27.60.
The version 2.6.27.60 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.27/

Linux kernel: patch for AGPgart.
Two patches are available in information sources.

Debian: new linux-2.6 packages (20/06/2011).
New packages are available:
  linux-2.6 2.6.26-26lenny3

Debian: new linux-2.6 packages (25/05/2011).
New packages are available:
  linux-2.6 2.6.32-34squeeze1

Fedora 13: new kernel packages (22/06/2011).
New packages are available:
  kernel-2.6.34.9-69.fc13

Fedora 14: new kernel packages.
New packages are available:
  Fedora 14: kernel-2.6.35.13-91.fc14

openSUSE 11.4: new kernel packages (02/08/2011).
New packages are available:
  kernel-*-2.6.37.6-0.7.1

RHEL 5: new kernel packages.
New packages are available:
  kernel-2.6.18-238.19.1.el5

RHEL 6 MRG: new kernel-rt packages.
New packages are available:
MRG Realtime for RHEL 6 Server : kernel-rt-*-2.6.33.9-rt31.75.el6rt

RHEL 6: new kernel packages (06/10/2011).
New packages are available:
  kernel-2.6.32-131.17.1.el6

SUSE LE 10 SP3: new kernel packages (21/09/2011).
New packages are available, as indicated in information sources.

SUSE LE 10 SP4: new kernel packages (12/08/2011).
New packages are available, as indicated in information sources.

SUSE LE 11: new kernel packages.
New packages are available, as indicated in information sources.

SUSE LE 9: new kernel packages (23/08/2011).
New packages are available:
http://download.novell.com/patch/finder/?keywords=c05dae2ea95bb787f18166cf12f585e3

VMware ESX 4.1: patch ESX410-201201001.
A patch is available:
  ESX410-201201001
  http://downloads.vmware.com/go/selfsupport-download
  http://kb.vmware.com/kb/2009142
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computers vulnerabilities database. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.