oss-sec mailing list archives
CVE Request -- Linux kernel: ipc: ipc_rcu_putref refcount races
From: Petr Matousek <pmatouse () redhat com>
Date: Wed, 30 Oct 2013 15:52:31 +0100
A flaw was found in the way ipc_rcu_putref() function handled reference counter decrementing. Without external synchronization reference counter might not be adjusted properly, as presented with the freeque() vs do_msgsnd() race, leading to memory leaks. An unprivileged local user could use this flaw to cause OOM conditions, potentially crashing the system. References: https://bugzilla.redhat.com/show_bug.cgi?id=1024854 https://wiki.openvz.org/Download/kernel/rhel6-testing/042stab084.3 Upstream patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6062a8 (making the refcounter atomic hunks) Acknowledgements: Red Hat would like to thank Vladimir Davydov (Parallels) for reporting this issue. Thanks, -- Petr Matousek / Red Hat Security Response Team
Current thread:
- CVE Request -- Linux kernel: ipc: ipc_rcu_putref refcount races Petr Matousek (Oct 30)
- Re: CVE Request -- Linux kernel: ipc: ipc_rcu_putref refcount races Kurt Seifried (Oct 30)