ACK: [CVE-2012-0879] CLONE_IO reference counting error

Stefan Bader stefan.bader at canonical.com
Thu Mar 1 15:22:47 UTC 2012


On 01.03.2012 15:45, Andy Whitcroft wrote:
> CVE-2012-0879
> 	With CLONE_IO, copy_io() increments both ioc->refcount and
> 	ioc->nr_tasks.	However exit_io_context() only decrements
> 	ioc->refcount if ioc->nr_tasks reaches 0. With CLONE_IO, parent's
> 	io_context->nr_tasks is incremented, but never decremented whenever
> 	copy_process() fails afterwards, which prevents exit_io_context()
> 	from calling IO schedulers exit functions. An unprivileged local
> 	user could use these flaws cause denial of service.
>
> This was not introduced until after hardy, and fixes for this have hit
> maverick and later via mainline and stable.  Following this email is a 2
> patch series for lucid and lucid/fsl-imx51; both are trivial cherry-picks
> from mainline.
>
> Proposing for lucid and lucid/fsl-imx51.
>
> -apw
>
Looks ok

-Stefan




More information about the kernel-team mailing list