Bug 782696 (CVE-2012-0058)

Summary: CVE-2012-0058 kernel: Unused iocbs in a batch should not be accounted as active
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bhu, dhoward, gansalmon, itamar, jkacur, jonathan, jwboyer, kernel-maint, kernel-mgr, lgoncalv, madhu.chinakonda, nobody, plougher, rt-maint, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:58:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 782697    
Bug Blocks: 782675    

Description Eugene Teo (Security Response) 2012-01-18 07:26:10 UTC
commit 69e4747ee9727d660b88d7e1efe0f4afcb35db1b
Author: Gleb Natapov <gleb>
Date:   Sun Jan 8 17:07:28 2012 +0200

    Unused iocbs in a batch should not be accounted as active.
    
    Since commit 080d676de095 ("aio: allocate kiocbs in batches") iocbs are
    allocated in a batch during processing of first iocbs.  All iocbs in a
    batch are automatically added to ctx->active_reqs list and accounted in
    ctx->reqs_active.
    
    If one (not the last one) of iocbs submitted by an user fails, further
    iocbs are not processed, but they are still present in ctx->active_reqs
    and accounted in ctx->reqs_active.  This causes process to stuck in a D
    state in wait_for_all_aios() on exit since ctx->reqs_active will never
    go down to zero.  Furthermore since kiocb_batch_free() frees iocb
    without removing it from active_reqs list the list become corrupted
    which may cause oops.
    
    Fix this by removing iocb from ctx->active_reqs and updating
    ctx->reqs_active in kiocb_batch_free().
    
    Signed-off-by: Gleb Natapov <gleb>
    Reviewed-by: Jeff Moyer <jmoyer>
    Cc: stable   # 3.2
    Signed-off-by: Linus Torvalds <torvalds>

Statement:
Not vulnerable. This issue did not affected the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, 6, and Red Hat Enterprise MRG as they did not backport the upstream commit 080d676d that introduced this issue.

Comment 1 Eugene Teo (Security Response) 2012-01-18 07:28:39 UTC
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 782697]