Description of problem: When called for anonymous (non-shared) mappings, hugetlb_reserve_pages() does a resv_map_alloc(). It depends on code in hugetlbfs's vm_ops->close() to release that allocation. However, in the mmap() failure path, we do a plain unmap_region() without the remove_vma() which actually calls vm_ops->close(). An unprivileged local user could use this flaw to crash the system. References: http://www.spinics.net/lists/linux-mm/msg34763.html Proposed upstream fix: https://lkml.org/lkml/2012/5/21/385
Created kernel tracking bugs for this issue Affects: fedora-all [bug 824352]
Added CVE as per http://www.openwall.com/lists/oss-security/2012/05/23/14
Upstream commits: c50ac050811d6485616a193eb0f37bfbd191cc89 4523e1458566a0e8ecfaff90f380dd23acc44d27
kernel-3.4.0-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.3.8-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
kernel-2.6.43.8-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Statement: This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5 as they did not include the upstream commit 84afd99b that introduced this issue. Future kernel updates for Red Hat Enterprise Linux 6 may address this issue. This has been addressed in Red Hat Enterprise Linux Red Hat Enterprise MRG 2 via https://rhn.redhat.com/errata/RHSA-2012-1150.html
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2012:1150 https://rhn.redhat.com/errata/RHSA-2012-1150.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1304 https://rhn.redhat.com/errata/RHSA-2012-1304.html