Re: CVE request -- kernel: block: CLONE_IO io_context refcounting issues

[Kurt Seifried <kseifried () redhat com>]

On 02/23/2012 11:11 AM, Petr Matousek wrote:
> With CLONE_IO, copy_io() increments both ioc->refcount and
> ioc->nr_tasks. However exit_io_context() only decrements
> ioc->refcount if ioc->nr_tasks reaches 0.
>
> With CLONE_IO, parent's io_context->nr_tasks is incremented, but never
> decremented whenever copy_process() fails afterwards, which prevents
> exit_io_context() from calling IO schedulers exit functions.
>
> An unprivileged local user could use these flaws cause denial of
> service.
>
> Upstream fixes:
> 61cc74fbb87af6aa551a06a370590c9bc07e29d9
> b69f2292063d2caf37ca9aec7d63ded203701bf3
>
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=796829
> http://comments.gmane.org/gmane.linux.kernel/922519
>
> Looks like it got fixed in Linux kernel 2.6.33(-rc1).
>
> Thanks,

Please use CVE-2012-0879 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)