Bug 174079
Summary: | [RHEL3] CVE-2005-3784 auto-reap DoS | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 3 | Reporter: | Mark J. Cox <mjc> | ||||
Component: | kernel | Assignee: | Peter Staubach <staubach> | ||||
Status: | CLOSED NOTABUG | QA Contact: | Brian Brock <bbrock> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 3.0 | CC: | jbaron, lwang, petrides | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | source=vendorsec,reported=20051123,public=20051110,impact=important | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2005-12-21 21:12:01 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Mark J. Cox
2005-11-24 10:55:52 UTC
Created attachment 122345 [details]
Proposed patch
Mark, would it be possible to dig up a reproducer for this? There is an extra check (tsk->state != TASK_STOPPED) in RHEL3 that is not in 2.6 that might preclude the vulnerability. The patch in comment #1 carries the risk of introducing a DoS regression (kernel memory exhaustion due to not cleaning up task_struct's), so we need to be 100% confident that we're fixing a real problem and that our fix is correct. Thanks in advance. Thanks for the info, Mark. The reproducer gets an error on the clone() syscall on RHEL3, because the flags CLONE_THREAD and CLONE_DETACHED must either both be set or both be clear. So, I altered the test program to try both cases (both flags set and both flags clear), and in neither case was there a problem on my test system. Further, the info in the thread in comment #4 indicates that the upstream failure mode is that a BUG_ON() is hit in release_task(), and this does not exist in RHEL3. Rather, there is a test for the condition that prevents the associated block of code from being executed in the problematic case. The bottom line is that RHEL3 is not vulnerable to this bug. |