Ubuntu

CVE-2012-3511

Reported by John Johansen on 2012-08-27
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Lucid
Low
Tim Gardner
Natty
Low
Tim Gardner
Oneiric
Low
Unassigned
Precise
Low
Unassigned
Quantal
Low
Unassigned
linux-armadaxp (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Lucid
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
Precise
Low
Unassigned
Quantal
Low
Unassigned
linux-ec2 (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Lucid
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
Precise
Low
Unassigned
Quantal
Low
Unassigned
linux-fsl-imx51 (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Lucid
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
Precise
Low
Unassigned
Quantal
Low
Unassigned
linux-lts-backport-maverick (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Lucid
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
Precise
Low
Unassigned
Quantal
Low
Unassigned
linux-lts-backport-natty (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Lucid
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
Precise
Low
Unassigned
Quantal
Low
Unassigned
linux-lts-backport-oneiric (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Lucid
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
Precise
Low
Unassigned
Quantal
Low
Unassigned
linux-mvl-dove (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Lucid
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
Precise
Low
Unassigned
Quantal
Low
Unassigned
linux-ti-omap4 (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Lucid
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
Precise
Low
Unassigned
Quantal
Low
Unassigned

Bug Description

Multiple race conditions in the madvise_remove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service (use-after-free and system crash) via vectors involving a (1) munmap or (2) close system call.

Break-Fix: 90ed52ebe48181d3c5427b3bd1d24f659e7575ad 9ab4233dd08036fe34a89c7dc6f47a8bf2eb29eb

John Johansen (jjohansen) wrote :

CVE-2012-3511

tags: added: kernel-cve-tracking-bug
security vulnerability: no → yes
Changed in linux-armadaxp (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Lucid):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Hardy):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Natty):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Precise):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Quantal):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Hardy):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Natty):
status: New → Invalid
Changed in linux-lts-backport-oneiric (Ubuntu Precise):
status: New → Invalid
Changed in linux-lts-backport-oneiric (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-lts-backport-oneiric (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-backport-oneiric (Ubuntu Hardy):
status: New → Invalid
Changed in linux-lts-backport-oneiric (Ubuntu Natty):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Precise):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Hardy):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Natty):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Precise):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Quantal):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Hardy):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Natty):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Precise):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Hardy):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Natty):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Hardy):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Precise):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Quantal):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Hardy):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Natty):
status: New → Invalid
description: updated
Changed in linux-armadaxp (Ubuntu Precise):
importance: Undecided → Low
Changed in linux-armadaxp (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux-armadaxp (Ubuntu Lucid):
importance: Undecided → Low
Changed in linux-armadaxp (Ubuntu Quantal):
importance: Undecided → Low
Changed in linux-armadaxp (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux-armadaxp (Ubuntu Natty):
importance: Undecided → Low
Changed in linux-ec2 (Ubuntu Precise):
importance: Undecided → Low
Changed in linux-ec2 (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux-ec2 (Ubuntu Lucid):
importance: Undecided → Low
Changed in linux-ec2 (Ubuntu Quantal):
importance: Undecided → Low
Changed in linux-ec2 (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux-ec2 (Ubuntu Natty):
importance: Undecided → Low
Changed in linux-lts-backport-oneiric (Ubuntu Precise):
importance: Undecided → Low
Changed in linux-lts-backport-oneiric (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux-lts-backport-oneiric (Ubuntu Lucid):
importance: Undecided → Low
Changed in linux-lts-backport-oneiric (Ubuntu Quantal):
importance: Undecided → Low
Changed in linux-lts-backport-oneiric (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux-lts-backport-oneiric (Ubuntu Natty):
importance: Undecided → Low
Changed in linux-lts-backport-natty (Ubuntu Precise):
importance: Undecided → Low
Changed in linux-lts-backport-natty (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux-lts-backport-natty (Ubuntu Lucid):
importance: Undecided → Low
Changed in linux-lts-backport-natty (Ubuntu Quantal):
importance: Undecided → Low
Changed in linux-lts-backport-natty (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux-lts-backport-natty (Ubuntu Natty):
importance: Undecided → Low
Changed in linux-mvl-dove (Ubuntu Precise):
importance: Undecided → Low
Changed in linux-mvl-dove (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux-mvl-dove (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Low
Changed in linux-mvl-dove (Ubuntu Quantal):
importance: Undecided → Low
Changed in linux-mvl-dove (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux-mvl-dove (Ubuntu Natty):
importance: Undecided → Low
Changed in linux-lts-backport-maverick (Ubuntu Precise):
importance: Undecided → Low
Changed in linux-lts-backport-maverick (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux-lts-backport-maverick (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-backport-maverick (Ubuntu Quantal):
importance: Undecided → Low
Changed in linux-lts-backport-maverick (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux-lts-backport-maverick (Ubuntu Natty):
importance: Undecided → Low
Changed in linux (Ubuntu Precise):
importance: Undecided → Low
Changed in linux (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux (Ubuntu Lucid):
importance: Undecided → Low
Changed in linux (Ubuntu Quantal):
importance: Undecided → Low
Changed in linux (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux (Ubuntu Natty):
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Precise):
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Lucid):
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Quantal):
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Natty):
importance: Undecided → Low
Changed in linux-fsl-imx51 (Ubuntu Precise):
importance: Undecided → Low
Changed in linux-fsl-imx51 (Ubuntu Oneiric):
importance: Undecided → Low
Changed in linux-fsl-imx51 (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Low
Changed in linux-fsl-imx51 (Ubuntu Quantal):
importance: Undecided → Low
Changed in linux-fsl-imx51 (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux-fsl-imx51 (Ubuntu Natty):
importance: Undecided → Low
Tim Gardner (timg-tpi) wrote :

Quantal: released in v3.5-rc6

Changed in linux (Ubuntu Quantal):
status: New → Fix Released
Tim Gardner (timg-tpi) wrote :

Precise: released in v3.2.23

Changed in linux (Ubuntu Precise):
status: New → Fix Released
Tim Gardner (timg-tpi) wrote :

Oneiric: released in v3.0.37

Changed in linux (Ubuntu Oneiric):
status: New → Fix Released
Tim Gardner (timg-tpi) wrote :

Hardy: the problem was not introduced until 2.6.21

Changed in linux (Ubuntu Hardy):
status: New → Invalid
Changed in linux (Ubuntu Lucid):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → In Progress
Changed in linux (Ubuntu Natty):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → In Progress
Changed in linux (Ubuntu Precise):
status: Fix Released → New
Changed in linux (Ubuntu Oneiric):
status: Fix Released → New
Changed in linux (Ubuntu Quantal):
status: Fix Released → New
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Fix Released
Changed in linux-armadaxp (Ubuntu Quantal):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Lucid):
status: New → Fix Committed
Changed in linux-lts-backport-oneiric (Ubuntu Lucid):
status: New → Fix Committed
Changed in linux-lts-backport-natty (Ubuntu Lucid):
status: New → Fix Committed
Changed in linux (Ubuntu Precise):
status: New → Fix Committed
Changed in linux (Ubuntu Oneiric):
status: New → Fix Committed
Changed in linux (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Quantal):
status: New → Invalid
Changed in linux (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Fix Committed
Changed in linux-ti-omap4 (Ubuntu Oneiric):
status: New → Fix Committed
Changed in linux-ti-omap4 (Ubuntu Quantal):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Natty):
status: New → Fix Committed
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.38-16.67

---------------
linux (2.6.38-16.67) natty-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1045383

  [ Upstream Kernel Changes ]

  * rds: set correct msg_namelen
    - LP: #1031112
    - CVE-2012-3430
  * eCryptfs: Initialize empty lower files when opening them
    - LP: #911507
  * net: Allow driver to limit number of GSO segments per skb
    - LP: #1037456
    - CVE-2012-3412
  * tcp: do not scale TSO segment size with reordering degree
    - LP: #1037456
    - CVE-2012-3412
  * tcp: Apply device TSO segment limit earlier
    - LP: #1037456
    - CVE-2012-3412
  * sfc: Replace some literal constants with EFX_PAGE_SIZE/EFX_BUF_SIZE
    - LP: #1037456
    - CVE-2012-3412
  * sfc: Fix maximum number of TSO segments and minimum TX queue size
    - LP: #1037456
    - CVE-2012-3412
  * mm: Hold a file reference in madvise_remove
    - LP: #1042447
    - CVE-2012-3511
  * cred: copy_process() should clear child->replacement_session_keyring
    - LP: #1023535
    - CVE-2012-2745
 -- Luis Henriques <email address hidden> Thu, 06 Sep 2012 09:25:21 +0100

Changed in linux (Ubuntu Natty):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.32-43.97

---------------
linux (2.6.32-43.97) lucid-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1045405

  [ Upstream Kernel Changes ]

  * rds: set correct msg_namelen
    - LP: #1031112
    - CVE-2012-3430
  * eCryptfs: Initialize empty lower files when opening them
    - LP: #911507
  * net: Allow driver to limit number of GSO segments per skb
    - LP: #1037456
    - CVE-2012-3412
  * tcp: do not scale TSO segment size with reordering degree
    - LP: #1037456
    - CVE-2012-3412
  * tcp: Apply device TSO segment limit earlier
    - LP: #1037456
    - CVE-2012-3412
  * sfc: Replace some literal constants with EFX_PAGE_SIZE/EFX_BUF_SIZE
    - LP: #1037456
    - CVE-2012-3412
  * sfc: Fix maximum number of TSO segments and minimum TX queue size
    - LP: #1037456
    - CVE-2012-3412
  * mm: Hold a file reference in madvise_remove
    - LP: #1042447
    - CVE-2012-3511
  * ulimit: raise default hard ulimit on number of files to 4096
    - LP: #663090
 -- Luis Henriques <email address hidden> Wed, 05 Sep 2012 09:39:41 +0100

Changed in linux (Ubuntu Lucid):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-ec2 - 2.6.32-348.54

---------------
linux-ec2 (2.6.32-348.54) lucid-proposed; urgency=low

  [ Stefan Bader ]

  * Rebased to Ubuntu-2.6.32-43.97
  * SAUCE: EC2: Backport changes to limit GSO segments
    - LP: #1037456
    - CVE-2012-3412
  * Release Tracking Bug
    - LP: #1046656

  [ Ubuntu: 2.6.32-43.97 ]

  * rds: set correct msg_namelen
    - LP: #1031112
    - CVE-2012-3430
  * eCryptfs: Initialize empty lower files when opening them
    - LP: #911507
  * net: Allow driver to limit number of GSO segments per skb
    - LP: #1037456
    - CVE-2012-3412
  * tcp: do not scale TSO segment size with reordering degree
    - LP: #1037456
    - CVE-2012-3412
  * tcp: Apply device TSO segment limit earlier
    - LP: #1037456
    - CVE-2012-3412
  * sfc: Replace some literal constants with EFX_PAGE_SIZE/EFX_BUF_SIZE
    - LP: #1037456
    - CVE-2012-3412
  * sfc: Fix maximum number of TSO segments and minimum TX queue size
    - LP: #1037456
    - CVE-2012-3412
  * mm: Hold a file reference in madvise_remove
    - LP: #1042447
    - CVE-2012-3511
  * ulimit: raise default hard ulimit on number of files to 4096
    - LP: #663090
 -- Stefan Bader <email address hidden> Fri, 07 Sep 2012 09:16:52 +0200

Changed in linux-ec2 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-backport-natty - 2.6.38-16.67~lucid1

---------------
linux-lts-backport-natty (2.6.38-16.67~lucid1) lucid-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1047350

  [ Upstream Kernel Changes ]

  * rds: set correct msg_namelen
    - LP: #1031112
    - CVE-2012-3430
  * eCryptfs: Initialize empty lower files when opening them
    - LP: #911507
  * net: Allow driver to limit number of GSO segments per skb
    - LP: #1037456
    - CVE-2012-3412
  * tcp: do not scale TSO segment size with reordering degree
    - LP: #1037456
    - CVE-2012-3412
  * tcp: Apply device TSO segment limit earlier
    - LP: #1037456
    - CVE-2012-3412
  * sfc: Replace some literal constants with EFX_PAGE_SIZE/EFX_BUF_SIZE
    - LP: #1037456
    - CVE-2012-3412
  * sfc: Fix maximum number of TSO segments and minimum TX queue size
    - LP: #1037456
    - CVE-2012-3412
  * mm: Hold a file reference in madvise_remove
    - LP: #1042447
    - CVE-2012-3511
  * cred: copy_process() should clear child->replacement_session_keyring
    - LP: #1023535
    - CVE-2012-2745
 -- Luis Henriques <email address hidden> Fri, 07 Sep 2012 14:15:51 +0100

Changed in linux-lts-backport-natty (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu Precise):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Changed in linux-ti-omap4 (Ubuntu Precise):
status: Fix Committed → Fix Released
Changed in linux-ti-omap4 (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Aaron Farias (timido) wrote : FWD:

wow this is pretty crazy you should check it out http://www.news15localal.net/jobs/?finance=31765

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-ti-omap4 - 2.6.38-1209.26

---------------
linux-ti-omap4 (2.6.38-1209.26) natty-proposed; urgency=low

  * Release Tracking Bug
    - LP: #1047347

  [ Upstream Kernel Changes ]

  * rds: set correct msg_namelen
    - LP: #1031112
    - CVE-2012-3340
  * KVM: unmap pages from the iommu when slots are removed
    - LP: #987569
    - CVE-2012-2121
  * net: Allow driver to limit number of GSO segments per skb
    - LP: #1037456
    - CVE-2012-3412
  * tcp: do not scale TSO segment size with reordering degree
    - LP: #1037456
    - CVE-2012-3412
  * tcp: Apply device TSO segment limit earlier
    - LP: #1037456
    - CVE-2012-3412
  * sfc: Replace some literal constants with EFX_PAGE_SIZE/EFX_BUF_SIZE
    - LP: #1037456
    - CVE-2012-3412
  * sfc: Fix maximum number of TSO segments and minimum TX queue size
    - LP: #1037456
    - CVE-2012-3412
  * mm: Hold a file reference in madvise_remove
    - LP: #1042447
    - CVE-2012-3511
 -- Paolo Pisati <email address hidden> Wed, 12 Sep 2012 16:34:28 +0200

Changed in linux-ti-omap4 (Ubuntu Natty):
status: Fix Committed → Fix Released
description: updated
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. lucid has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against lucid is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Changed in linux-lts-backport-oneiric (Ubuntu Lucid):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers