| Summary: | Linux kernel: ipc: ipc_rcu_putref refcount races (CVE-2013-4483) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Mikle Kolyada (RETIRED) <zlogene> |
| Component: | Kernel | Assignee: | Gentoo Kernel Security <security-kernel> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | kernel |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://seclists.org/oss-sec/2013/q4/194 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
CVE-2013-4483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4483): The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. we have 3.10 stabilized anyway, no older versions |
from ${URL}: A flaw was found in the way ipc_rcu_putref() function handled reference counter decrementing. Without external synchronization reference counter might not be adjusted properly, as presented with the freeque() vs do_msgsnd() race, leading to memory leaks. An unprivileged local user could use this flaw to cause OOM conditions, potentially crashing the system. References: https://bugzilla.redhat.com/show_bug.cgi?id=1024854 https://wiki.openvz.org/Download/kernel/rhel6-testing/042stab084.3 Upstream patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6062a8 (making the refcounter atomic hunks) Acknowledgements: Red Hat would like to thank Vladimir Davydov (Parallels) for reporting this issue.