871556 – (CVE-2013-7348) VUL-0: CVE-2013-7348: kernel: aio: double free in ioctx_alloc

Bug 871556 (CVE-2013-7348) - VUL-0: CVE-2013-7348: kernel: aio: double free in ioctx_alloc

Summary: VUL-0: CVE-2013-7348: kernel: aio: double free in ioctx_alloc

Status:	RESOLVED FIXED

Alias:	CVE-2013-7348

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Jan Kara
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/97508/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-04-02 07:42 UTC by Alexander Bergmann
Modified:	2014-06-17 08:37 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2014-04-02 07:42:59 UTC

Via rh#1083270:

ioctx_alloc() calls aio_setup_ring() to allocate a ring. If aio_setup_ring() fails to do so it would call aio_free_ring() before returning, but ioctx_alloc() would call aio_free_ring() again causing a double free of the ring. 

Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d558023207e008a4476a3b7bb8706b2a2bf5d84f

CVE-2013-7348 was assigned to this issue.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1083270

Comment 1 Swamp Workflow Management 2014-04-02 22:00:12 UTC

bugbot adjusting priority

Comment 2 Michal Hocko 2014-04-15 09:23:06 UTC

This seems to be a fallout from 3dc9acb676003 which reorganized aio_setup_ring. None  This is 3.13 so we shouldn't be affected.

Comment 5 Jan Kara 2014-06-17 08:37:17 UTC

After checking in detail - we already got the fix and all the relevant fixups from stable tree.