retire CVE-2016-10723

1 files changed, 23 insertions, 0 deletions

diff --git a/retired/CVE-2016-10723 b/retired/CVE-2016-10723
new file mode 100644
index 00000000..3f65a967
--- /dev/null
+++ b/retired/CVE-2016-10723
@@ -0,0 +1,23 @@
+Description: Don't call schedule_timeout_killable() with oom_lock held
+References:
+ https://patchwork.kernel.org/patch/10395909/
+ https://patchwork.kernel.org/patch/9842889/
+ https://www.spinics.net/lists/linux-mm/msg117896.html
+ https://www.spinics.net/lists/linux-mm/msg117960.html
+Notes:
+ carnil> Commit 9bfe5ded054b ("mm, oom: remove sleep from under oom_lock")
+ carnil> is a mitigation for CVE-2016-10723.
+ carnil> https://lore.kernel.org/lkml/cb2d635c-c14d-c2cc-868a-d4c447364f0d@i-love.sakura.ne.jp/
+ bwh> On 3.16 the OOM killer usually kills the reproducer fairly quickly,
+ bwh> but not always.  It still spams the kernel log and in some cases
+ bwh> it seemed to cause a filesystem error causing / to go read-only.
+ bwh> I assume 4.9 is also affected.
+Bugs:
+upstream: ignored "Negligible security impact, long-standing limitation"
+4.19-upstream-stable: ignored "Negligible security impact, long-standing limitation"
+4.9-upstream-stable: ignored "Negligible security impact, long-standing limitation"
+3.16-upstream-stable: ignored "Negligible security impact, long-standing limitation"
+sid: ignored "Negligible security impact, long-standing limitation"
+4.19-buster-security: ignored "Negligible security impact, long-standing limitation"
+4.9-stretch-security: ignored "Negligible security impact, long-standing limitation"
+3.16-jessie-security: ignored "Negligible security impact, long-standing limitation"