Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 698999 - (CVE-2011-1747) CVE-2011-1747 kernel: agp: possible kernel mem exhaustion via AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls
CVE-2011-1747 kernel: agp: possible kernel mem exhaustion via AGPIOC_RESERVE ...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110414,reported=20110421,sou...
: Security
Depends On: 699000 699001 699002 699003 699004 761351
Blocks: 823440
  Show dependency treegraph
 
Reported: 2011-04-22 11:21 EDT by Petr Matousek
Modified: 2015-08-19 05:09 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-23 10:30:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Petr Matousek 2011-04-22 11:21:43 EDT 
There is a problem in agp code - kernel memory exhaustion (AGPIOC_RESERVE and
AGPIOC_ALLOCATE ioctls).  It is not checked whether requested pid is a pid of
the caller (no check in agpioc_reserve_wrap()). Each allocation is limited to
16KB, though, there is no per-process limit. This might lead to OOM situation,
which is not even solved in case of the caller death by OOM killer - the memory
is allocated for another (faked) process.

Reference:
https://lkml.org/lkml/2011/4/14/294

Acknowledgements:                                                                
 
Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting this issue.
Comment 3 Eugene Teo (Security Response) 2011-04-24 22:36:38 EDT 
This issue was mentioned in https://lkml.org/lkml/2011/4/14/294 and linux-2.6:b522f02184b413955f3bc952e3776ce41edc6355 for the patch fixing CVE-2011-1746 because the patch tries to fix a similar problem - OOM.

CVE-2011-1747 is not fixed yet.
Comment 15 Petr Matousek 2012-05-23 10:33:00 EDT 
Statement:

Red Hat Security Response team does not consider this bug to be security relevant one due to the privileges (CAP_SYS_RAWIO) required to exploit this issue.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.