A flaw was found in the way the Linux kernel's futex subsystem handled reference counting in case of futex requeue during futex_wait(). An unprivileged local user could use this flaw to crash the system or, potentially, escalate their privileges on the system by overputting reference counter on either inode or mm that backs up the memory area of the futex, leading to use-after-free. References: https://lkml.org/lkml/2010/9/16/99 Upstream fix: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7ada876a8703f23befbb20a7465a702ee39b1704 Acknowledgements: The security impact of this issue was discovered by Mateusz Guzik of Red Hat.
Statement: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG-2. Future Linux kernel updates for Red Hat Enterprise Linux 6 may address this issue.
IssueDescription: A flaw was found in the way the Linux kernel's futex subsystem handled reference counting when requeuing futexes during futex_wait(). A local, unprivileged user could use this flaw to zero out the reference counter of an inode or an mm struct that backs up the memory area of the futex, which could lead to a use-after-free flaw, resulting in a system crash or, potentially, privilege escalation.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1167 https://rhn.redhat.com/errata/RHSA-2014-1167.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only Via RHSA-2014:1365 https://rhn.redhat.com/errata/RHSA-2014-1365.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.2 AUS Via RHSA-2014:1763 https://rhn.redhat.com/errata/RHSA-2014-1763.html