Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 170261 - CVE-2005-3107 zap_threads DoS
Summary: CVE-2005-3107 zap_threads DoS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel
Version: 3.0
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Peter Staubach
QA Contact: Brian Brock
URL:
Whiteboard: public=20050115,impact=low,source=cve
Depends On:
Blocks: RHEL3U8CanFix
TreeView+ depends on / blocked
 
Reported: 2005-10-10 11:38 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
4 users (show)

Fixed In Version: RHSA-2006-0437
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-07-20 13:31:56 UTC
Target Upstream Version:


Attachments (Terms of Use)
Testcase to reproduce the problem (deleted)
2005-11-08 19:49 UTC, Peter Staubach
no flags Details
Proposed patch (deleted)
2006-02-03 18:53 UTC, Peter Staubach
no flags Details | Diff
Test program to reproduce the situation. (deleted)
2006-02-03 18:58 UTC, Peter Staubach
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0437 normal SHIPPED_LIVE Important: Updated kernel packages for Red Hat Enterprise Linux 3 Update 8 2006-07-20 13:11:00 UTC

Description Mark J. Cox 2005-10-10 11:38:40 UTC
fs/exec.c in Linux 2.6, when one thread is tracing another thread that shares
the same memory map, might allow local users to cause a denial of service
(deadlock) by forcing a core dump when the traced thread is in the TASK_TRACED
state.

http://linux.bkbits.net:8080/linux-2.6/cset%4041e9a97cuQ7FWekabtf12Orvpfbp1w

This issue does not affect linux-2.4 but may affect RHEL3 due to the backported
nptl patch in linux-2.4.20-o1-nptl.patch.  

(Note that we fixed this in RHEL4U1 in *6.9-ptrace-fixes.patch)

Comment 1 Ernie Petrides 2005-10-28 02:25:46 UTC
Reassigning to PeterS at Linda's request.

Comment 2 Roland McGrath 2005-10-28 21:21:02 UTC
RHEL3 does not have the TASK_TRACED state (only TASK_STOPPED), so the failure
mode is not exactly the same in that regard.  I will dig up the test program
that reproduces the problem on affected kernels, and then we can see what it
does on RHEL3.

Comment 3 Peter Staubach 2005-11-08 19:49:15 UTC
Created attachment 120824 [details]
Testcase to reproduce the problem

Comment 4 Peter Staubach 2005-11-08 19:51:12 UTC
The patch refered to above in the bitkeeper bits is not sufficient to
address this situation in RHEL-3.  A hang still occurs when the test
program is run.  Some more diagnosis needs to be done in order to
discover what the situation is and what needs to be done to address it.

Comment 6 Mark J. Cox 2006-01-10 10:42:50 UTC
Peter wrote "Mark, the impact to the system for this issue seems to be small.  A
user can hang his own process, but will not be able to create more processes
than could otherwise be created.  The system remains functional while the the
process is hanging, so the possibility of an DoS attack, using this
situation, seems minimal."

Reducing to low severity

Comment 7 Peter Staubach 2006-02-03 18:53:18 UTC
Created attachment 124114 [details]
Proposed patch

Comment 8 Peter Staubach 2006-02-03 18:56:19 UTC
There were two sets of changes required in order to address the issue
here.  One was to keep the threads in the thread group, which are being
destroyed, from issuing SIGCHLD to their parent and waiting for it to
reap them.  The second was to correct the parent handling in the task
struct in order to prevent a child from attempting to become its own
parent.

Comment 9 Peter Staubach 2006-02-03 18:58:50 UTC
Created attachment 124115 [details]
Test program to reproduce the situation.

Comment 11 Bob Johnson 2006-04-11 15:48:43 UTC
This issue is on Red Hat Engineering's list of planned work items 
for the upcoming Red Hat Enterprise Linux 3.8 release.  Engineering 
resources have been assigned and barring unforeseen circumstances, Red 
Hat intends to include this item in the 3.8 release.

Comment 12 Ernie Petrides 2006-04-25 03:29:55 UTC
A fix for this problem has just been committed to the RHEL3 U8
patch pool this evening (in kernel version 2.4.21-40.10.EL).


Comment 15 Red Hat Bugzilla 2006-07-20 13:31:56 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0437.html



Note You need to log in before you can comment on or make changes to this bug.