Race condition in the cm_work_handler function in the InfiniBand driver (drivers/infiniband/core/cma.c) in Linux kernel 2.6.x allows remote attackers to cause a denial of service (panic) by sending an InfiniBand request while other request handlers are still running, which triggers an invalid pointer dereference.
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
| Link | Tags |
|---|---|
| http://www.ubuntu.com/usn/USN-1146-1 | third party advisory vendor advisory |
| http://rhn.redhat.com/errata/RHSA-2011-0927.html | third party advisory vendor advisory |
| http://www.spinics.net/lists/linux-rdma/msg07448.html | mailing list third party advisory patch |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/66056 | vdb entry third party advisory |
| http://www.openwall.com/lists/oss-security/2011/03/11/1 | mailing list third party advisory patch |
| http://secunia.com/advisories/43693 | third party advisory |
| http://www.spinics.net/lists/linux-rdma/msg07447.html | mailing list patch exploit third party advisory |
| http://www.securityfocus.com/bid/46839 | vdb entry third party advisory |