[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request -- kernel: block: CLONE_IO io_context refcounting issues
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-02-23 21:48:41
Message-ID: 4F46B439.6030605 () redhat ! com
[Download RAW message or body]

On 02/23/2012 11:11 AM, Petr Matousek wrote:
> With CLONE_IO, copy_io() increments both ioc->refcount and
> ioc->nr_tasks. However exit_io_context() only decrements
> ioc->refcount if ioc->nr_tasks reaches 0.
> 
> With CLONE_IO, parent's io_context->nr_tasks is incremented, but never
> decremented whenever copy_process() fails afterwards, which prevents
> exit_io_context() from calling IO schedulers exit functions.
> 
> An unprivileged local user could use these flaws cause denial of
> service.
> 
> Upstream fixes:
> 61cc74fbb87af6aa551a06a370590c9bc07e29d9
> b69f2292063d2caf37ca9aec7d63ded203701bf3
> 
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=796829
> http://comments.gmane.org/gmane.linux.kernel/922519
> 
> Looks like it got fixed in Linux kernel 2.6.33(-rc1).
> 
> Thanks,

Please use CVE-2012-0879 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)
[prev in list] [next in list] [prev in thread] [next in thread]