Bug 112484

Summary: Kernel vulnerable for duplicate PIDs
Product: [Retired] Red Hat Linux Reporter: Robert Scheck <redhat-bugzilla>
Component: kernelAssignee: Arjan van de Ven <arjanv>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: mitr, riel, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-04-15 17:14:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2003-12-20 20:01:35 UTC 
Description of problem:
http://linux.bkbits.net:8080/linux-2.4/related/kernel/fork.c?
nav=index.html|src/.|src/kernel (duplicate PID fix)

Version-Release number of selected component (if applicable):
kernel-2.4.20-24.9

Actual results:
I don't know whether it's really possible to use that vulnerability..
.so is your turn ;-)

Expected results:
Maybe - if you think the patch is really needed: 
http://www.kernel.org/pub/linux/kernel/v2.
4/testing/cset/cset-t-kochi.nec.
com|ChangeSet|20031216155916|03275.txt

Additional info:
Only Fedora Core's Kernel 2.4.22 is patched against that 
vulnerability. Affected are all Red Hat Linux versions.
Comment 1 Mark J. Cox 2004-04-08 09:58:51 UTC 
So this shouldn't affect any NPTL kernel which has entirely different
code.  

One of our kernel engineers said "A duplicate PID can be a security
issue if the duplicate replaces the previous task. In that case an
unprivileged user could "mask" the PID of a root daemon, and if
somewhere authentication is PID based, it could assume the identity of
that process." however since users cannot normally fill up the PID
space  there would not be a generic exploit for the default install.
Comment 2 Robert Scheck 2004-04-09 13:55:36 UTC 
Hm, but why is Fedora Core's NPTL Kernel then patched against the
vulnerability, when it isn't affected?
Comment 3 Dave Jones 2004-04-12 11:12:21 UTC 
The Fedora NPTL patch actually _removes_ that code. Again, it's
completely different.
Comment 4 Robert Scheck 2004-04-15 17:14:13 UTC 
Okay...if you say that, then it isn't a bug :-)