Bug 849734 (CVE-2012-3511)

Summary: CVE-2012-3511 kernel: mm: use-after-free in madvise_remove()
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, anton, bhu, davej, davidyangyi, dhoward, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, jlieskov, jneedle, jonathan, jrusnack, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, mcressma, nchavan, plougher, rt-maint, sforsber, williams, ybabar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120706,reported=20120716,source=sko,cvss2=6.2/AV:L/AC:H/Au:N/C:C/I:C/A:C,rhel-5/kernel=affected,rhel-6/kernel=affected,mrg-2/realtime-kernel=affected,fedora-all/kernel=affected,cwe=CWE-416
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-24 09:35:43 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 849735, 849736, 849738, 849739, 849740, 849741, 849742    
Bug Blocks: 849743    

Description Petr Matousek 2012-08-20 14:03:53 EDT
A use-after-free flaw has been found in madvise_remove() function in the Linux kernel. madvise_remove() can race with munmap (causing a use-after-free
of the vma) or with close (causing a use-after-free of the struct file). An unprivileged local user can use this flaw to crash the system and potentially gain higher privileges.

Upstream fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9ab4233dd08036fe34a89c7dc6f47a8bf2eb29eb

Introduced in:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=90ed52ebe48181d3c5427b3bd1d24f659e7575ad
Comment 3 Petr Matousek 2012-08-20 14:07:48 EDT
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 849742]
Comment 5 davidyangyi 2012-08-30 01:42:00 EDT
Is there any fix released out now ?
Comment 6 Jan Lieskovsky 2012-08-30 06:25:58 EDT
(In reply to comment #5)
> Is there any fix released out now ?

Not yet (as of right now). Please refer to Red Hat CVE database entry:
[1] https://access.redhat.com/security/cve/CVE-2012-3511

for progress / updates.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 11 errata-xmlrpc 2012-11-06 13:19:07 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1426 https://rhn.redhat.com/errata/RHSA-2012-1426.html
Comment 12 errata-xmlrpc 2012-12-04 14:58:47 EST
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:1491 https://rhn.redhat.com/errata/RHSA-2012-1491.html
Comment 14 Vincent Danen 2013-09-26 11:35:01 EDT
Statement:

(none)
Comment 15 errata-xmlrpc 2013-09-26 13:21:17 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1292 https://rhn.redhat.com/errata/RHSA-2013-1292.html