Bug 849734 - (CVE-2012-3511) CVE-2012-3511 kernel: mm: use-after-free in madvise_remove()
CVE-2012-3511 kernel: mm: use-after-free in madvise_remove()
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120706,repor...
: Security
Depends On: 849735 849736 849738 849739 849740 849741 849742
Blocks: 849743
  Show dependency treegraph
 
Reported: 2012-08-20 14:03 EDT by Petr Matousek
Modified: 2015-07-27 04:27 EDT (History)
29 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-24 09:35:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Petr Matousek 2012-08-20 14:03:53 EDT
A use-after-free flaw has been found in madvise_remove() function in the Linux kernel. madvise_remove() can race with munmap (causing a use-after-free
of the vma) or with close (causing a use-after-free of the struct file). An unprivileged local user can use this flaw to crash the system and potentially gain higher privileges.

Upstream fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9ab4233dd08036fe34a89c7dc6f47a8bf2eb29eb

Introduced in:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=90ed52ebe48181d3c5427b3bd1d24f659e7575ad
Comment 3 Petr Matousek 2012-08-20 14:07:48 EDT
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 849742]
Comment 5 davidyangyi 2012-08-30 01:42:00 EDT
Is there any fix released out now ?
Comment 6 Jan Lieskovsky 2012-08-30 06:25:58 EDT
(In reply to comment #5)
> Is there any fix released out now ?

Not yet (as of right now). Please refer to Red Hat CVE database entry:
[1] https://access.redhat.com/security/cve/CVE-2012-3511

for progress / updates.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 11 errata-xmlrpc 2012-11-06 13:19:07 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1426 https://rhn.redhat.com/errata/RHSA-2012-1426.html
Comment 12 errata-xmlrpc 2012-12-04 14:58:47 EST
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:1491 https://rhn.redhat.com/errata/RHSA-2012-1491.html
Comment 14 Vincent Danen 2013-09-26 11:35:01 EDT
Statement:

(none)
Comment 15 errata-xmlrpc 2013-09-26 13:21:17 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1292 https://rhn.redhat.com/errata/RHSA-2013-1292.html

Note You need to log in before you can comment on or make changes to this bug.