Bug 817430 (CVE-2012-2133)
Summary: | CVE-2012-2133 kernel: use after free bug in "quota" handling | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aiyengar, davej, dhoward, fweisbec, gansalmon, itamar, jforbes, jonathan, jrusnack, jwboyer, kernel-maint, kernel-mgr, lwang, madhu.chinakonda, pmatouse, raindel, rwheeler, sforsber, vgoyal |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-04-16 19:19:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 843034, 843035, 843036, 843037, 843038, 927272 | ||
Bug Blocks: | 815174 |
Description
Eugene Teo (Security Response)
2012-04-30 01:05:57 UTC
*** Bug 815065 has been marked as a duplicate of this bug. *** Statement: This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5. Future kernel updates for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux MRG 2 may address this issue. Created kernel tracking bugs for this issue Affects: fedora-all [bug 843038] (In reply to comment #0) > There is a use after free bug in the kernel hugetlb code. The bug can allow > an authenticated, unprivileged local attacker to crash the system (and > possibly gain higher privileges) if huge pages are enabled in the system. > > A fix has been committed to upstream, commit > 90481622d75715bfcb68501280a917dbfe516029 "hugepages: fix use after free bug > in "quota" handling" > > Version-Release number of selected component (if applicable): > The bug exists in kernel versions 2.6.24 and above. > > How reproducible: > The attached tarball includes an example code which utilizes a fuse mount > with O_DIRECT flag to reproduce the issue. The code will work only on > kernels 2.6.32 and above since it uses the new "anonymous mapping" API for > getting huge pages. Similar reproduction is possible when using the shmem > API or the hugetlbfs API. Stock kernel might not crash, debug kernel will > detect the corruption and kill the process. > > Steps to Reproduce: > 1. Untar the attached file > 2. Run run_test.sh. The fuse-devel package and sudo rights are required for > the fuse mount. Sudo rights are also required for enabling huge pages. > 3. Observe the kernel crash when running debug kernel. Normal kernels will > (usually) not crash, as the slab allocator will not return the memory blocks > to the system general pool for a while. Hi Eugene. The proposed testcase seem to be missing in attachment. (In reply to comment #7) > Hi Eugene. > > The proposed testcase seem to be missing in attachment. Please see bug 815065 comment #0 This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1426 https://rhn.redhat.com/errata/RHSA-2012-1426.html This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2012:1491 https://rhn.redhat.com/errata/RHSA-2012-1491.html This issue has been addressed in following products: Red Hat Enterprise Linux 6.2 EUS - Server Only Via RHSA-2013:0741 https://rhn.redhat.com/errata/RHSA-2013-0741.html |