Bug 829263

Summary: Sudo has racecondition leaving sudo with its zombie child running forever
Product: Red Hat Enterprise Linux 5 Reporter: Matthias Hensler <mails.bugzilla.redhat.com>
Component: sudoAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED ERRATA QA Contact: Zbysek MRAZ <zmraz>
Severity: high Docs Contact:
Priority: high    
Version: 5.8CC: dapospis, dkopecek, ebenes, fkrska, jpallich, plyons, pvrabec
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sudo-1.7.2p1-17.el5 Doc Type: Bug Fix
Doc Text:
Prior to this update, a race condition bug existed in sudo. When a program was executed with sudo, the program could possibly exit successfully before sudo started waiting for it. In this situation, the program would be left in a zombie state and sudo would wait for it endlessly, expecting it to still be running.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-08 07:49:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 844978    

Description Matthias Hensler 2012-06-06 10:50:37 UTC 
Description of problem:
Sometimes when running a command using sudo, it never finishes. In that case the executed command already exited and is left as Zombie which is never collected by sudo.


Version-Release number of selected component (if applicable):
sudo-1.7.2p1-13.el5

How reproducible:
From what I see the problem occurs in around one of hundred, but heavily relies on the workload of the systems.


Steps to Reproduce:
1. Run a command with sudo
2.
3.
  
Actual results:
Sometimes sudo does not exit.


Expected results:
Sudo should exit after the command is finished.


Additional info:
The problem is a race in sudos code when spawning its child process. It opens a socket to its child for receiving input from the child. However if a taskswitch occurs right after the child was spawned and the child finished before control is returned to the sudo-parent, the parentprocess waits indefinitly in a select()-call reading from the child pipe.

The full problem is explained in detail in this blogpost: http://blog.famzah.net/2010/11/01/sudo-hangs-and-leaves-the-executed-program-as-zombie/

The problem was reported upstream in the project bugzilla under ID 447 (http://www.gratisoft.us/bugzilla/show_bug.cgi?id=447) and was fixed in sudo versions 1.7.5 and 1.8.0.

The solution is to simply add a timeout to the select()-call and should be a low impact patch to the current EL5-version of sudo.
Comment 1 RHEL Program Management 2012-07-31 13:09:34 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 2 Matthias Hensler 2012-08-01 10:21:59 UTC 
I think sudo is that kind of security tool which should receive an update/patch whenever a problem exists. That race descriped here cannot be used to gain higher privileges, but can be used to flood the system with zombies very easily.

You write that no update is scheduled for EL5, however, the last sudo-update was just 2 weeks ago, adding a patch for CVE-2012-2337 (see rhbz#829766).
Comment 3 Daniel Kopeček 2012-08-01 10:36:28 UTC 
Hi,

(In reply to comment #2)
> I think sudo is that kind of security tool which should receive an
> update/patch whenever a problem exists. That race descriped here cannot be
> used to gain higher privileges, but can be used to flood the system with
> zombies very easily.
> 
> You write that no update is scheduled for EL5, however, the last sudo-update
> was just 2 weeks ago, adding a patch for CVE-2012-2337 (see rhbz#829766).

we're working on addressing this issue in 5.8.z, so this issue should be fixed soon.
Comment 8 Murray McAllister 2012-08-13 04:26:30 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Prior to this update, a race condition bug existed in sudo. When a program was executed with sudo, the program could possibly exit successfully before sudo started waiting for it. In this situation, the program would be left in a zombie state and sudo would wait for it endlessly, expecting it to still be running.
Comment 12 errata-xmlrpc 2013-01-08 07:49:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0112.html