Bug 849734 (CVE-2012-3511) - CVE-2012-3511 kernel: mm: use-after-free in madvise_remove()
Summary: CVE-2012-3511 kernel: mm: use-after-free in madvise_remove()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-3511
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 849735 849736 849738 849739 849740 849741 849742
Blocks: 849743
TreeView+ depends on / blocked
 
Reported: 2012-08-20 18:03 UTC by Petr Matousek
Modified: 2021-02-23 14:04 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-24 13:35:43 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1426 0 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2012-11-06 23:14:35 UTC
Red Hat Product Errata RHSA-2012:1491 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2012-12-05 00:50:25 UTC
Red Hat Product Errata RHSA-2013:1292 0 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2013-09-26 21:19:22 UTC

Description Petr Matousek 2012-08-20 18:03:53 UTC 
A use-after-free flaw has been found in madvise_remove() function in the Linux kernel. madvise_remove() can race with munmap (causing a use-after-free
of the vma) or with close (causing a use-after-free of the struct file). An unprivileged local user can use this flaw to crash the system and potentially gain higher privileges.

Upstream fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9ab4233dd08036fe34a89c7dc6f47a8bf2eb29eb

Introduced in:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=90ed52ebe48181d3c5427b3bd1d24f659e7575ad
Comment 3 Petr Matousek 2012-08-20 18:07:48 UTC 
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 849742]
Comment 5 davidyangyi 2012-08-30 05:42:00 UTC 
Is there any fix released out now ?
Comment 6 Jan Lieskovsky 2012-08-30 10:25:58 UTC 
(In reply to comment #5)
> Is there any fix released out now ?

Not yet (as of right now). Please refer to Red Hat CVE database entry:
[1] https://access.redhat.com/security/cve/CVE-2012-3511

for progress / updates.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 11 errata-xmlrpc 2012-11-06 18:19:07 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1426 https://rhn.redhat.com/errata/RHSA-2012-1426.html
Comment 12 errata-xmlrpc 2012-12-04 19:58:47 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:1491 https://rhn.redhat.com/errata/RHSA-2012-1491.html
Comment 14 Vincent Danen 2013-09-26 15:35:01 UTC 
Statement:

(none)
Comment 15 errata-xmlrpc 2013-09-26 17:21:17 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1292 https://rhn.redhat.com/errata/RHSA-2013-1292.html
Note You need to log in before you can comment on or make changes to this bug.