ACK: [CVE-2012-0879] CLONE_IO reference counting error
stefan.bader at canonical.com
Thu Mar 1 15:22:47 UTC 2012
On 01.03.2012 15:45, Andy Whitcroft wrote:
> With CLONE_IO, copy_io() increments both ioc->refcount and
> ioc->nr_tasks. However exit_io_context() only decrements
> ioc->refcount if ioc->nr_tasks reaches 0. With CLONE_IO, parent's
> io_context->nr_tasks is incremented, but never decremented whenever
> copy_process() fails afterwards, which prevents exit_io_context()
> from calling IO schedulers exit functions. An unprivileged local
> user could use these flaws cause denial of service.
> This was not introduced until after hardy, and fixes for this have hit
> maverick and later via mainline and stable. Following this email is a 2
> patch series for lucid and lucid/fsl-imx51; both are trivial cherry-picks
> from mainline.
> Proposing for lucid and lucid/fsl-imx51.
More information about the kernel-team