[CVE-2012-0879] CLONE_IO reference counting error
Andy Whitcroft
apw at canonical.com
Thu Mar 1 14:45:41 UTC 2012
CVE-2012-0879
With CLONE_IO, copy_io() increments both ioc->refcount and
ioc->nr_tasks. However exit_io_context() only decrements
ioc->refcount if ioc->nr_tasks reaches 0. With CLONE_IO, parent's
io_context->nr_tasks is incremented, but never decremented whenever
copy_process() fails afterwards, which prevents exit_io_context()
from calling IO schedulers exit functions. An unprivileged local
user could use these flaws cause denial of service.
This was not introduced until after hardy, and fixes for this have hit
maverick and later via mainline and stable. Following this email is a 2
patch series for lucid and lucid/fsl-imx51; both are trivial cherry-picks
from mainline.
Proposing for lucid and lucid/fsl-imx51.
-apw
More information about the kernel-team
mailing list