[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request -- kernel: block: CLONE_IO io_context refcounting issues
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2012-02-23 21:48:41
Message-ID: 4F46B439.6030605 () redhat ! com
[Download RAW message or body]
On 02/23/2012 11:11 AM, Petr Matousek wrote:
> With CLONE_IO, copy_io() increments both ioc->refcount and
> ioc->nr_tasks. However exit_io_context() only decrements
> ioc->refcount if ioc->nr_tasks reaches 0.
>
> With CLONE_IO, parent's io_context->nr_tasks is incremented, but never
> decremented whenever copy_process() fails afterwards, which prevents
> exit_io_context() from calling IO schedulers exit functions.
>
> An unprivileged local user could use these flaws cause denial of
> service.
>
> Upstream fixes:
> 61cc74fbb87af6aa551a06a370590c9bc07e29d9
> b69f2292063d2caf37ca9aec7d63ded203701bf3
>
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=796829
> http://comments.gmane.org/gmane.linux.kernel/922519
>
> Looks like it got fixed in Linux kernel 2.6.33(-rc1).
>
> Thanks,
Please use CVE-2012-0879 for this issue.
--
Kurt Seifried Red Hat Security Response Team (SRT)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic