Re: CVE Request -- kernel: mm: use-after-free in madvise_remove()

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/20/2012 12:07 PM, Petr Matousek wrote:
> A use-after-free flaw has been found in madvise_remove() function
> in the Linux kernel. madvise_remove() can race with munmap (causing
> a use-after-free of the vma) or with close (causing a
> use-after-free of the struct file). An unprivileged local user can
> use this flaw to crash the system.
>
> Upstream fix: 
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9ab4233dd08036fe34a89c7dc6f47a8bf2eb29eb
>
>  Introduced in: 
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=90ed52ebe48181d3c5427b3bd1d24f659e7575ad
>
>  References: https://bugzilla.redhat.com/show_bug.cgi?id=849734
>
> Thanks,

Please use CVE-2012-3511 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQMoGWAAoJEBYNRVNeJnmTCbUP/iMzPXqPImIN9n6FN1D7GQu+
hdqUCdYKYHSLP/bSFxBuNLaxwGQvVrymEN6dkn3tvTgDh1YnPXEXngcXWwwNPcHR
CxFJTBs+6O08MZL8dfB9PxHSXi9jcBOi28aOeqcCVG3slumJJnliSxjTw3XUWvOV
jLzFA1+TLswamky9j3xYchnD5mywy5jrkPXhZb5cuAnVU/+c0WNIKNFVf1snKHwC
23EdGc/XEa5qs+RmNhVCzxnOgjfvm1hq33A0vs2bCBS6R2hNzAwt1gxZRKhMfcJT
yHgAEgUZ7gbTbaKlDQvDL8pl4o1L4tEk8Xd0v89iHfqSIRk5vyzah9S4LIK5NnmY
CcDt/NVddT4nO5rAIFHO2Lk5UX07yGGUW4gP5DQor/gozz/EFeOU2KzP95Q4qfZ+
tX8Z6iR74fl+b8DlDwX5RfyoqflhwkKanhsTtYgFvpbO5TFDUsp4Z3trcIRmNowu
+r2rSGRzts2FRPjPtuFpzcsJaR8R3tXaPkY2zhNWChc2XAK48fcFr9bPMS9v+z6x
r6rq3+rL1cPRxmPB12ID6hQ8+9ttAUtDUW1OW29r6Nk3PFCYVgf0GYUhMjDs/r9g
L5xhi2b4QSb0b4WzvtM754lQCYOmYmbjeqlolWWmgNo3LRxPo4DK0uTsiszzUlNC
50ubEHrBqFAtBmvY059S
=9hDa
-----END PGP SIGNATURE-----