CVE-2012-2373 - The Linux kernel before 3.4.5 on the x86 platform, when Physical Address Extension (PAE) is enabled,

CVE-2012-2373

Summary

The Linux kernel before 3.4.5 on the x86 platform, when Physical Address Extension (PAE) is enabled, does not properly use the Page Middle Directory (PMD), which allows local users to cause a denial of service (panic) via a crafted application that triggers a race condition.

References

Vulnerable Configurations

cpe:2.3:o:linux:linux_kernel:3.4.1:*:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4.1:*:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:rc3:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:rc3:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:rc5:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:rc5:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:rc2:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:rc2:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4.3:*:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4.3:*:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4.2:*:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4.2:*:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:rc4:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:rc4:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:rc7:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:rc7:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:rc6:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:rc6:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:2.6.33.7:*:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:2.6.33.7:*:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.2:*:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.2:*:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.2.1:*:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.2.1:*:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:*:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:*:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:rc1:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4:rc1:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4.4:*:*:*:*:*:x86:*
cpe:2.3:o:linux:linux_kernel:3.4.4:*:*:*:*:*:x86:*

CVSS

Base:	4.0 (as of 13-02-2023 - 00:24)
Impact:
Exploitability:

CWE

CWE-362

CAPEC

Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with his version and cause the system to read the malicious file.
Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.

Access

Vector	Complexity	Authentication
LOCAL	HIGH	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	COMPLETE

cvss-vector via4

AV:L/AC:H/Au:N/C:N/I:N/A:C

redhat via4

advisories

bugzilla

id	822821
title	CVE-2012-2373 kernel: mm: read_pmd_atomic: 32bit PAE pmd walk vs pmd_populate SMP race condition

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 6 is installed
oval oval:com.redhat.rhba:tst:20111656003

comment kernel earlier than 0:2.6.32-220.23.1.el6 is currently running
oval oval:com.redhat.rhsa:tst:20120743025
comment kernel earlier than 0:2.6.32-220.23.1.el6 is set to boot up on next boot
oval oval:com.redhat.rhsa:tst:20120743026

AND
comment kernel is earlier than 0:2.6.32-220.23.1.el6
oval oval:com.redhat.rhsa:tst:20120743001
comment kernel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842002

AND

comment kernel-bootwrapper is earlier than 0:2.6.32-220.23.1.el6
oval oval:com.redhat.rhsa:tst:20120743003
comment kernel-bootwrapper is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842004

AND

comment kernel-debug is earlier than 0:2.6.32-220.23.1.el6
oval oval:com.redhat.rhsa:tst:20120743005
comment kernel-debug is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842006

AND

comment kernel-debug-devel is earlier than 0:2.6.32-220.23.1.el6
oval oval:com.redhat.rhsa:tst:20120743007
comment kernel-debug-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842008

AND

comment kernel-devel is earlier than 0:2.6.32-220.23.1.el6
oval oval:com.redhat.rhsa:tst:20120743009
comment kernel-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842010

AND

comment kernel-doc is earlier than 0:2.6.32-220.23.1.el6
oval oval:com.redhat.rhsa:tst:20120743011
comment kernel-doc is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842012

AND

comment kernel-firmware is earlier than 0:2.6.32-220.23.1.el6
oval oval:com.redhat.rhsa:tst:20120743013
comment kernel-firmware is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842014

AND

comment kernel-headers is earlier than 0:2.6.32-220.23.1.el6
oval oval:com.redhat.rhsa:tst:20120743015
comment kernel-headers is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842016

AND

comment kernel-kdump is earlier than 0:2.6.32-220.23.1.el6
oval oval:com.redhat.rhsa:tst:20120743017
comment kernel-kdump is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842018

AND

comment kernel-kdump-devel is earlier than 0:2.6.32-220.23.1.el6
oval oval:com.redhat.rhsa:tst:20120743019
comment kernel-kdump-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842020

AND
comment perf is earlier than 0:2.6.32-220.23.1.el6
oval oval:com.redhat.rhsa:tst:20120743021
comment perf is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842022

AND

comment python-perf is earlier than 0:2.6.32-220.23.1.el6
oval oval:com.redhat.rhsa:tst:20120743023
comment python-perf is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20111530024

rhsa

id	RHSA-2012:0743
released	2012-06-18
severity	Important
title	RHSA-2012:0743: kernel security and bug fix update (Important)

rpms

kernel-0:2.6.32-220.23.1.el6
kernel-bootwrapper-0:2.6.32-220.23.1.el6
kernel-debug-0:2.6.32-220.23.1.el6
kernel-debug-debuginfo-0:2.6.32-220.23.1.el6
kernel-debug-devel-0:2.6.32-220.23.1.el6
kernel-debuginfo-0:2.6.32-220.23.1.el6
kernel-debuginfo-common-i686-0:2.6.32-220.23.1.el6
kernel-debuginfo-common-ppc64-0:2.6.32-220.23.1.el6
kernel-debuginfo-common-s390x-0:2.6.32-220.23.1.el6
kernel-debuginfo-common-x86_64-0:2.6.32-220.23.1.el6
kernel-devel-0:2.6.32-220.23.1.el6
kernel-doc-0:2.6.32-220.23.1.el6
kernel-firmware-0:2.6.32-220.23.1.el6
kernel-headers-0:2.6.32-220.23.1.el6
kernel-kdump-0:2.6.32-220.23.1.el6
kernel-kdump-debuginfo-0:2.6.32-220.23.1.el6
kernel-kdump-devel-0:2.6.32-220.23.1.el6
perf-0:2.6.32-220.23.1.el6
perf-debuginfo-0:2.6.32-220.23.1.el6
python-perf-0:2.6.32-220.23.1.el6
python-perf-debuginfo-0:2.6.32-220.23.1.el6

refmap via4

confirm	http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=26c191788f18129af0eb32a358cdaea0c7479626 http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.5 https://bugzilla.redhat.com/show_bug.cgi?id=822821 https://github.com/torvalds/linux/commit/26c191788f18129af0eb32a358cdaea0c7479626
hp	HPSBGN02970
mlist	[oss-security] 20120518 Re: CVE Request -- kernel: mm: read_pmd_atomic: 32bit PAE pmd walk vs pmd_populate SMP race condition
ubuntu	USN-1529-1

Last major update

13-02-2023 - 00:24

Published

09-08-2012 - 10:29

Last modified

13-02-2023 - 00:24