On Thu, Mar 01, 2012 at 02:45:41PM +0000, Andy Whitcroft wrote:
> CVE-2012-0879
> With CLONE_IO, copy_io() increments both ioc->refcount and
> ioc->nr_tasks. However exit_io_context() only decrements
> ioc->refcount if ioc->nr_tasks reaches 0. With CLONE_IO, parent's
> io_context->nr_tasks is incremented, but never decremented whenever
> copy_process() fails afterwards, which prevents exit_io_context()
> from calling IO schedulers exit functions. An unprivileged local
> user could use these flaws cause denial of service.
>
> This was not introduced until after hardy, and fixes for this have hit
> maverick and later via mainline and stable. Following this email is a 2
> patch series for lucid and lucid/fsl-imx51; both are trivial cherry-picks
> from mainline.
>
> Proposing for lucid and lucid/fsl-imx51.
>
> -apw
>
> --
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

On 01.03.2012 15:45, Andy Whitcroft wrote:

CVE-2012-0879
With CLONE_IO, copy_io() increments both ioc->refcount and
ioc->nr_tasks. However exit_io_context() only decrements
ioc->refcount if ioc->nr_tasks reaches 0. With CLONE_IO, parent's
io_context->nr_tasks is incremented, but never decremented whenever
copy_process() fails afterwards, which prevents exit_io_context()
from calling IO schedulers exit functions. An unprivileged local
user could use these flaws cause denial of service.

This was not introduced until after hardy, and fixes for this have hit
maverick and later via mainline and stable. Following this email is a 2
patch series for lucid and lucid/fsl-imx51; both are trivial cherry-picks
from mainline.

Proposing for lucid and lucid/fsl-imx51.

-apw


Looks ok

-Stefan

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team