Date: Thu, 23 Feb 2012 14:48:41 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request -- kernel: block: CLONE_IO io_context refcounting issues On 02/23/2012 11:11 AM, Petr Matousek wrote: > With CLONE_IO, copy_io() increments both ioc->refcount and > ioc->nr_tasks. However exit_io_context() only decrements > ioc->refcount if ioc->nr_tasks reaches 0. > > With CLONE_IO, parent's io_context->nr_tasks is incremented, but never > decremented whenever copy_process() fails afterwards, which prevents > exit_io_context() from calling IO schedulers exit functions. > > An unprivileged local user could use these flaws cause denial of > service. > > Upstream fixes: > 61cc74fbb87af6aa551a06a370590c9bc07e29d9 > b69f2292063d2caf37ca9aec7d63ded203701bf3 > > References: > https://bugzilla.redhat.com/show_bug.cgi?id=796829 > http://comments.gmane.org/gmane.linux.kernel/922519 > > Looks like it got fixed in Linux kernel 2.6.33(-rc1). > > Thanks, Please use CVE-2012-0879 for this issue. -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.