Bug 782696 (CVE-2012-0058) - CVE-2012-0058 kernel: Unused iocbs in a batch should not be accounted as active
Summary: CVE-2012-0058 kernel: Unused iocbs in a batch should not be accounted as active
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2012-0058
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 782697
Blocks: 782675
TreeView+ depends on / blocked
 
Reported: 2012-01-18 07:26 UTC by Eugene Teo (Security Response)
Modified: 2019-09-29 12:49 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:58:16 UTC


Attachments (Terms of Use)

Description Eugene Teo (Security Response) 2012-01-18 07:26:10 UTC
commit 69e4747ee9727d660b88d7e1efe0f4afcb35db1b
Author: Gleb Natapov <gleb@redhat.com>
Date:   Sun Jan 8 17:07:28 2012 +0200

    Unused iocbs in a batch should not be accounted as active.
    
    Since commit 080d676de095 ("aio: allocate kiocbs in batches") iocbs are
    allocated in a batch during processing of first iocbs.  All iocbs in a
    batch are automatically added to ctx->active_reqs list and accounted in
    ctx->reqs_active.
    
    If one (not the last one) of iocbs submitted by an user fails, further
    iocbs are not processed, but they are still present in ctx->active_reqs
    and accounted in ctx->reqs_active.  This causes process to stuck in a D
    state in wait_for_all_aios() on exit since ctx->reqs_active will never
    go down to zero.  Furthermore since kiocb_batch_free() frees iocb
    without removing it from active_reqs list the list become corrupted
    which may cause oops.
    
    Fix this by removing iocb from ctx->active_reqs and updating
    ctx->reqs_active in kiocb_batch_free().
    
    Signed-off-by: Gleb Natapov <gleb@redhat.com>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: stable@kernel.org   # 3.2
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Statement:
Not vulnerable. This issue did not affected the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, 6, and Red Hat Enterprise MRG as they did not backport the upstream commit 080d676d that introduced this issue.

Comment 1 Eugene Teo (Security Response) 2012-01-18 07:28:39 UTC
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 782697]


Note You need to log in before you can comment on or make changes to this bug.