Bug 170261
| Summary: | CVE-2005-3107 zap_threads DoS | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 3 | Reporter: | Mark J. Cox <mjc> | ||||||||
| Component: | kernel | Assignee: | Peter Staubach <staubach> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||||||
| Severity: | low | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | 3.0 | CC: | lwang, mingo, petrides, roland | ||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | public=20050115,impact=low,source=cve | ||||||||||
| Fixed In Version: | RHSA-2006-0437 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2006-07-20 13:31:56 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 181405, 186960 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Mark J. Cox
2005-10-10 11:38:40 UTC
Reassigning to PeterS at Linda's request. RHEL3 does not have the TASK_TRACED state (only TASK_STOPPED), so the failure mode is not exactly the same in that regard. I will dig up the test program that reproduces the problem on affected kernels, and then we can see what it does on RHEL3. Created attachment 120824 [details]
Testcase to reproduce the problem
The patch refered to above in the bitkeeper bits is not sufficient to address this situation in RHEL-3. A hang still occurs when the test program is run. Some more diagnosis needs to be done in order to discover what the situation is and what needs to be done to address it. Peter wrote "Mark, the impact to the system for this issue seems to be small. A user can hang his own process, but will not be able to create more processes than could otherwise be created. The system remains functional while the the process is hanging, so the possibility of an DoS attack, using this situation, seems minimal." Reducing to low severity Created attachment 124114 [details]
Proposed patch
There were two sets of changes required in order to address the issue here. One was to keep the threads in the thread group, which are being destroyed, from issuing SIGCHLD to their parent and waiting for it to reap them. The second was to correct the parent handling in the task struct in order to prevent a child from attempting to become its own parent. Created attachment 124115 [details]
Test program to reproduce the situation.
This issue is on Red Hat Engineering's list of planned work items for the upcoming Red Hat Enterprise Linux 3.8 release. Engineering resources have been assigned and barring unforeseen circumstances, Red Hat intends to include this item in the 3.8 release. A fix for this problem has just been committed to the RHEL3 U8 patch pool this evening (in kernel version 2.4.21-40.10.EL). An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0437.html |