Ack: Re: [CVE-2012-0879] CLONE_IO reference counting error
Herton Ronaldo Krzesinski
herton.krzesinski at canonical.com
Thu Mar 1 15:13:27 UTC 2012
On Thu, Mar 01, 2012 at 02:45:41PM +0000, Andy Whitcroft wrote:
> With CLONE_IO, copy_io() increments both ioc->refcount and
> ioc->nr_tasks. However exit_io_context() only decrements
> ioc->refcount if ioc->nr_tasks reaches 0. With CLONE_IO, parent's
> io_context->nr_tasks is incremented, but never decremented whenever
> copy_process() fails afterwards, which prevents exit_io_context()
> from calling IO schedulers exit functions. An unprivileged local
> user could use these flaws cause denial of service.
> This was not introduced until after hardy, and fixes for this have hit
> maverick and later via mainline and stable. Following this email is a 2
> patch series for lucid and lucid/fsl-imx51; both are trivial cherry-picks
> from mainline.
> Proposing for lucid and lucid/fsl-imx51.
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
More information about the kernel-team