Bug 170261 - CVE-2005-3107 zap_threads DoS
CVE-2005-3107 zap_threads DoS
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
3.0
All Linux
medium Severity low
: ---
: ---
Assigned To: Peter Staubach
Brian Brock
public=20050115,impact=low,source=cve
: Security
Depends On:
Blocks: RHEL3U8CanFix 186960
  Show dependency treegraph
 
Reported: 2005-10-10 07:38 EDT by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
4 users (show)

See Also:
Fixed In Version: RHSA-2006-0437
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-20 09:31:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Testcase to reproduce the problem (2.29 KB, text/plain)
2005-11-08 14:49 EST, Peter Staubach
no flags Details
Proposed patch (1.37 KB, patch)
2006-02-03 13:53 EST, Peter Staubach
no flags Details | Diff
Test program to reproduce the situation. (2.65 KB, text/plain)
2006-02-03 13:58 EST, Peter Staubach
no flags Details

  None (edit)
Description Mark J. Cox (Product Security) 2005-10-10 07:38:40 EDT
fs/exec.c in Linux 2.6, when one thread is tracing another thread that shares
the same memory map, might allow local users to cause a denial of service
(deadlock) by forcing a core dump when the traced thread is in the TASK_TRACED
state.

http://linux.bkbits.net:8080/linux-2.6/cset%4041e9a97cuQ7FWekabtf12Orvpfbp1w

This issue does not affect linux-2.4 but may affect RHEL3 due to the backported
nptl patch in linux-2.4.20-o1-nptl.patch.  

(Note that we fixed this in RHEL4U1 in *6.9-ptrace-fixes.patch)
Comment 1 Ernie Petrides 2005-10-27 22:25:46 EDT
Reassigning to PeterS at Linda's request.
Comment 2 Roland McGrath 2005-10-28 17:21:02 EDT
RHEL3 does not have the TASK_TRACED state (only TASK_STOPPED), so the failure
mode is not exactly the same in that regard.  I will dig up the test program
that reproduces the problem on affected kernels, and then we can see what it
does on RHEL3.
Comment 3 Peter Staubach 2005-11-08 14:49:15 EST
Created attachment 120824 [details]
Testcase to reproduce the problem
Comment 4 Peter Staubach 2005-11-08 14:51:12 EST
The patch refered to above in the bitkeeper bits is not sufficient to
address this situation in RHEL-3.  A hang still occurs when the test
program is run.  Some more diagnosis needs to be done in order to
discover what the situation is and what needs to be done to address it.
Comment 6 Mark J. Cox (Product Security) 2006-01-10 05:42:50 EST
Peter wrote "Mark, the impact to the system for this issue seems to be small.  A
user can hang his own process, but will not be able to create more processes
than could otherwise be created.  The system remains functional while the the
process is hanging, so the possibility of an DoS attack, using this
situation, seems minimal."

Reducing to low severity
Comment 7 Peter Staubach 2006-02-03 13:53:18 EST
Created attachment 124114 [details]
Proposed patch
Comment 8 Peter Staubach 2006-02-03 13:56:19 EST
There were two sets of changes required in order to address the issue
here.  One was to keep the threads in the thread group, which are being
destroyed, from issuing SIGCHLD to their parent and waiting for it to
reap them.  The second was to correct the parent handling in the task
struct in order to prevent a child from attempting to become its own
parent.
Comment 9 Peter Staubach 2006-02-03 13:58:50 EST
Created attachment 124115 [details]
Test program to reproduce the situation.
Comment 11 Bob Johnson 2006-04-11 11:48:43 EDT
This issue is on Red Hat Engineering's list of planned work items 
for the upcoming Red Hat Enterprise Linux 3.8 release.  Engineering 
resources have been assigned and barring unforeseen circumstances, Red 
Hat intends to include this item in the 3.8 release.
Comment 12 Ernie Petrides 2006-04-24 23:29:55 EDT
A fix for this problem has just been committed to the RHEL3 U8
patch pool this evening (in kernel version 2.4.21-40.10.EL).
Comment 15 Red Hat Bugzilla 2006-07-20 09:31:56 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0437.html

Note You need to log in before you can comment on or make changes to this bug.