Bug 302921 (CVE-2006-6921)

Summary: CVE-2006-6921 kernel: denial of service with wedged processes
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: gnichols, johnp, kernel-maint, kernel-mgr, kreilly, kseifried, rt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6921
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-29 16:42:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 221403, 221414, 229882, 302931    
Bug Blocks:    

Description Mark J. Cox 2007-09-24 10:55:36 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2006-6921 to the following vulnerability:

Unspecified versions of the Linux kernel allows local users to cause a denial of service (unrecoverable zombie process) via a program with certain instructions that prevent init from properly reaping a child whose parent has died.

References:

http://uwsg.iu.edu/hypermail/linux/kernel/0612.2/0980.html
http://uwsg.iu.edu/hypermail/linux/kernel/0612.2/1021.html

Comment 1 Mark J. Cox 2007-09-24 10:56:36 UTC
From Albert Cahalan:

Normally, when a process dies it becomes a zombie. If the parent dies (before or
after the child), the child is adopted by init. Init will reap the child.

The program included below DOES NOT get reaped.

Do like so:

gcc -m32 -O2 -std=gnu99 -o foo foo.c
while true; do killall -9 foo; ./foo; sleep 1; done

BTW, it gets even better if you start playing with ptrace. Use the "strace"
program (following children) and/or start sending rapid-fire SIGKILL to all the
various _threads_ in the processes. You can get processes wedged in a wide
variety of interesting states. I've seen "X" state, processes sitting around
with pending SIGKILL, a process stuck in "D" state supposedly core dumping
despite ulimit 0 on the core size, etc.

Comment 4 Mark J. Cox 2007-09-24 11:00:38 UTC
This issue does not affect versions of kernels shipped in RHEL2.1 or RHEL3.

Comment 8 Kurt Seifried 2011-09-29 16:42:56 UTC
All children bugs have been closed, parent is no longer needed.