CVE-2010-2962
Published: 26 November 2010
drivers/gpu/drm/i915/i915_gem.c in the Graphics Execution Manager (GEM) in the Intel i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.36 does not properly validate pointers to blocks of memory, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via crafted use of the ioctl interface, related to (1) pwrite and (2) pread operations.
From the Ubuntu Security Team
Kees Cook discovered that the Intel i915 graphics driver did not correctly validate memory regions. A local attacker with access to the video card could read and write arbitrary kernel memory to gain root privileges.
Notes
| Author | Note |
|---|---|
| kees | jaunty's code is a bit different, but at least half looks to still apply. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
linux Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Not vulnerable
|
|
| jaunty |
Ignored
(reached end-of-life)
|
|
| karmic |
Released
(2.6.31-22.70)
|
|
| lucid |
Released
(2.6.32-27.49)
|
|
| maverick |
Not vulnerable
|
|
| upstream |
Released
(2.6.36~rc7)
|
|
|
Patches: upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7dcd2499deab8f10011713c40bc2f309c9b65077 karmic: http://chinstrap.ubuntu.com/~ogasawara/CVEs/CVE-2010-2962/patches/karmic/linux/0001-drm-i915-Sanity-check-pread-pwrite.txt karmic: http://chinstrap.ubuntu.com/~ogasawara/CVEs/CVE-2010-2962/patches/karmic/linux/0002-drm-i915-Rephrase-pwrite-bounds-checking-to-avoid-any-.txt lucid: http://chinstrap.ubuntu.com/~ogasawara/CVEs/CVE-2010-2962/patches/lucid/linux/0001-drm-i915-Sanity-check-pread-pwrite.txt lucid: http://chinstrap.ubuntu.com/~ogasawara/CVEs/CVE-2010-2962/patches/lucid/linux/0002-drm-i915-Rephrase-pwrite-bounds-checking-to-avoid-any-.txt |
||
|
linux-ec2 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| karmic |
Released
(2.6.31-307.23)
|
|
| lucid |
Released
(2.6.32-311.23)
|
|
| maverick |
Ignored
(binary supplied by "linux" now)
|
|
| upstream |
Released
(2.6.36~rc7)
|
|
|
linux-fsl-imx51 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| karmic |
Released
(2.6.31-112.30)
|
|
| lucid |
Released
(2.6.31-608.22)
|
|
| maverick |
Does not exist
|
|
| upstream |
Released
(2.6.36~rc7)
|
|
|
linux-lts-backport-maverick Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| karmic |
Does not exist
|
|
| lucid |
Released
(2.6.35-25.44~lucid1)
|
|
| maverick |
Does not exist
|
|
| upstream |
Released
(2.6.36~rc7)
|
|
|
linux-mvl-dove Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| karmic |
Ignored
(abandonded branch)
|
|
| lucid |
Released
(2.6.32-216.33)
|
|
| maverick |
Released
(2.6.32-416.33)
|
|
| upstream |
Released
(2.6.36~rc7)
|
|
|
linux-source-2.6.15 Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
|
| hardy |
Does not exist
|
|
| jaunty |
Does not exist
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| upstream |
Released
(2.6.36~rc7)
|
|
|
linux-ti-omap4 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Released
(2.6.35-903.22)
|
|
| upstream |
Released
(2.6.36~rc7)
|
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2962
- https://ubuntu.com/security/notices/USN-1041-1
- https://ubuntu.com/security/notices/USN-1074-1
- https://ubuntu.com/security/notices/USN-1074-2
- https://ubuntu.com/security/notices/USN-1083-1
- https://ubuntu.com/security/notices/USN-1093-1
- https://ubuntu.com/security/notices/USN-1119-1
- NVD
- Launchpad
- Debian