Bug 496031 (CVE-2009-1338)

Summary: CVE-2009-1338 kernel: 'kill sig -1' must only apply to caller's pid namespace
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bhu, jkacur, lgoncalv, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-22 13:23:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 496032    
Bug Blocks:    
Attachments:
Description Flags
Upstream patch
none
Patch for mrg-1
none
To be patched with comment #6 none

Description Eugene Teo (Security Response) 2009-04-16 06:49:46 UTC 
Description of problem:
Currently "kill <sig> -1" kills processes in all namespaces and breaks the
isolation of namespaces. Use "task_pid_vnr() > 1" to check since task_pid_vnr() returns 0 if process is outside the caller's namespace.

Upstream patch: http://git.kernel.org/linus/d25141a818383b3c3b09f065698c544a7a0ec6e7
Comment 1 Eugene Teo (Security Response) 2009-04-16 06:50:40 UTC 
Created attachment 339796 [details]
Upstream patch
Comment 3 Eugene Teo (Security Response) 2009-04-16 06:54:54 UTC 
PID namespaces is merged in 2.6.24. http://lwn.net/Articles/259217/
Comment 6 Eugene Teo (Security Response) 2009-04-16 08:49:33 UTC 
Created attachment 339815 [details]
Patch for mrg-1
Comment 14 Eugene Teo (Security Response) 2009-04-21 02:33:27 UTC 
(In reply to comment #12)
> We might need this patch too:
>  commit 44c4e1b2581f7273ab14ef30b6430618801c57b1
>  Author: Eric W. Biederman <ebiederm>
>  Date:   Fri Feb 8 04:19:15 2008 -0800
> 
>      pid: Extend/Fix pid_vnr  

Together with this patch:

[root@rhel5-server-i386 ~]# uname -a
Linux rhel5-server-i386 2.6.24.7-112.bz496032.el5 #1 SMP PREEMPT RT Mon Apr 20 04:12:17 EDT 2009 i686 i686 i386 GNU/Linux
[root@rhel5-server-i386 ~]# bash
[root@rhel5-server-i386 ~]# ps -e
  PID TTY          TIME CMD
    1 pts/0    00:00:00 bash
   33 pts/0    00:00:00 bash
   41 pts/0    00:00:00 ps
[root@rhel5-server-i386 ~]# /bin/kill -s SIGKILL -1
Killed
[root@rhel5-server-i386 ~]# ps -e
  PID TTY          TIME CMD
    1 pts/0    00:00:00 bash
   43 pts/0    00:00:00 ps
[root@rhel5-server-i386 ~]# /bin/kill -s SIGKILL -1
kill -1: No such process

The other observation I had in comment #7 is also fixed with this patch.

This is the expected behaviour. Thanks.
Comment 15 Eugene Teo (Security Response) 2009-04-21 02:36:50 UTC 
Created attachment 340468 [details]
To be patched with comment #6
Comment 16 John Kacur 2009-05-18 14:32:48 UTC 
First I tested with 2.6.29.3-15.el5rt to make sure I could get everything to work as expected, and it did.

Then I tested with2.6.24.7-115.el5rt and crashed the machine. After applying the patches from #15 and #6, then everything worked as expected.
Comment 17 errata-xmlrpc 2009-06-03 15:36:57 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1081 https://rhn.redhat.com/errata/RHSA-2009-1081.html