Re: CVE Request -- Linux kernel: ipc: ipc_rcu_putref refcount races

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/30/2013 08:52 AM, Petr Matousek wrote:
> A flaw was found in the way ipc_rcu_putref() function handled
> reference counter decrementing. Without external synchronization
> reference counter might not be adjusted properly, as presented with
> the freeque() vs do_msgsnd() race, leading to memory leaks.
>
> An unprivileged local user could use this flaw to cause OOM
> conditions, potentially crashing the system.
>
> References: https://bugzilla.redhat.com/show_bug.cgi?id=1024854 
> https://wiki.openvz.org/Download/kernel/rhel6-testing/042stab084.3
>
> Upstream patch: 
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6062a8
(making the refcounter atomic hunks)
> Acknowledgements:
>
> Red Hat would like to thank Vladimir Davydov (Parallels) for
> reporting this issue.
>
> Thanks,

Please use CVE-2013-4483 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJScS3HAAoJEBYNRVNeJnmTmZYQAIBteZ3rBeIJY/+3uE9XAiFN
CfLKl2IgNbqvZC+6Jgf+fcAlpyUOWCLklondkYfpqQKab+w9tniXahLl24vO5a5G
aBRSbhb3vOVwljBdJ9LW8CDsFTQMZJWONOHaHhpp5oyFKonygWbev8bAoVN5e90y
bYDYeDTrzUH+JHBuNfukuJvbpwTzZ48kdHpuZ3Dh5EANAfXWVczCvDvFaw4XSJBp
gl3RuxgOy2oJCkAGwlf2InF+VtdW8vKQIyZBU/ps0Winron9zTBxBCOIOANyWeDV
9uieaWE2PbbM+TZHBUOHgC/Z9dbAvza6qyHzSOf7DNiyCab7HrUcaneznJHKGpzF
cQ9/sadWuhjvUphF/Imf8kSUOHSwX+pwW6E3892TS3JpW0d++BRiCv6+HAOwDEJk
in2RV2i4M00kNy4hL76TyGgtZezVuUQUCwv+vampC0CtGM1rUq8h8nGHpjzDUNFT
Muf4k6xW3xOBiYQHFGFN2vF7zyzeQnD/N+0TR5uBctdlXpg7YI40+cvrW5lh9FLc
HYSPOeFxOOwc4cvEdn8Id4E11el9o8tvV3JH/0xK26MXkOyiJAba5nc03wfO95+E
jn9+RgwHrOUrjrX6n0blzM3AxSt6EDt1oUOcw0PcFnzHJWIaZGvBMr32fHKyAeBo
95rJddPETqid9nshxkRC
=5AIf
-----END PGP SIGNATURE-----