oss-sec: CVE Request -- kernel: mm: use-after-free in madvise

oss-sec mailing list archives

CVE Request -- kernel: mm: use-after-free in madvise_remove()

From: Petr Matousek <pmatouse () redhat com>
Date: Mon, 20 Aug 2012 20:07:04 +0200

A use-after-free flaw has been found in madvise_remove() function in the
Linux kernel. madvise_remove() can race with munmap (causing a
use-after-free of the vma) or with close (causing a use-after-free of the
struct file). An unprivileged local user can use this flaw to crash the
system.

Upstream fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9ab4233dd08036fe34a89c7dc6f47a8bf2eb29eb

Introduced in:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=90ed52ebe48181d3c5427b3bd1d24f659e7575ad

References:
https://bugzilla.redhat.com/show_bug.cgi?id=849734

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team

By Date By Thread

Current thread:

CVE Request -- kernel: mm: use-after-free in madvise_remove() Petr Matousek (Aug 20)
- Re: CVE Request -- kernel: mm: use-after-free in madvise_remove() Kurt Seifried (Aug 20)