Bug 698999 (CVE-2011-1747)

Summary: CVE-2011-1747 kernel: agp: possible kernel mem exhaustion via AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: airlied, arozansk, davej, dhoward, jmarchan, jpirko, kernel-mgr, kmcmartin, lwang, sforsber, tcallawa, vgoyal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-23 14:30:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 699000, 699001, 699002, 699003, 699004, 761351    
Bug Blocks: 823440    

Description Petr Matousek 2011-04-22 15:21:43 UTC 
There is a problem in agp code - kernel memory exhaustion (AGPIOC_RESERVE and
AGPIOC_ALLOCATE ioctls).  It is not checked whether requested pid is a pid of
the caller (no check in agpioc_reserve_wrap()). Each allocation is limited to
16KB, though, there is no per-process limit. This might lead to OOM situation,
which is not even solved in case of the caller death by OOM killer - the memory
is allocated for another (faked) process.

Reference:
https://lkml.org/lkml/2011/4/14/294

Acknowledgements:                                                                
 
Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting this issue.
Comment 3 Eugene Teo (Security Response) 2011-04-25 02:36:38 UTC 
This issue was mentioned in https://lkml.org/lkml/2011/4/14/294 and linux-2.6:b522f02184b413955f3bc952e3776ce41edc6355 for the patch fixing CVE-2011-1746 because the patch tries to fix a similar problem - OOM.

CVE-2011-1747 is not fixed yet.
Comment 15 Petr Matousek 2012-05-23 14:33:00 UTC 
Statement:

Red Hat Security Response team does not consider this bug to be security relevant one due to the privileges (CAP_SYS_RAWIO) required to exploit this issue.