oss-sec mailing list archives
CVE request -- kernel: block: CLONE_IO io_context refcounting issues
From: Petr Matousek <pmatouse () redhat com>
Date: Thu, 23 Feb 2012 19:11:01 +0100
With CLONE_IO, copy_io() increments both ioc->refcount and ioc->nr_tasks. However exit_io_context() only decrements ioc->refcount if ioc->nr_tasks reaches 0. With CLONE_IO, parent's io_context->nr_tasks is incremented, but never decremented whenever copy_process() fails afterwards, which prevents exit_io_context() from calling IO schedulers exit functions. An unprivileged local user could use these flaws cause denial of service. Upstream fixes: 61cc74fbb87af6aa551a06a370590c9bc07e29d9 b69f2292063d2caf37ca9aec7d63ded203701bf3 References: https://bugzilla.redhat.com/show_bug.cgi?id=796829 http://comments.gmane.org/gmane.linux.kernel/922519 Looks like it got fixed in Linux kernel 2.6.33(-rc1). Thanks, -- Petr Matousek / Red Hat Security Response Team
Current thread:
- CVE request -- kernel: block: CLONE_IO io_context refcounting issues Petr Matousek (Feb 23)
- Re: CVE request -- kernel: block: CLONE_IO io_context refcounting issues Kurt Seifried (Feb 23)