Bug 174075 - [RHEL4] CVE-2005-3783 ptrace DoS
Summary: [RHEL4] CVE-2005-3783 ptrace DoS
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Peter Staubach
QA Contact: Brian Brock
URL:
Whiteboard: source=cve,reported=20051123,impact=i...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-11-24 10:37 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2006-01-05 16:48:29 UTC


Attachments (Terms of Use)

Description Mark J. Cox 2005-11-24 10:37:19 UTC
The ptrace functionality (ptrace.c) in Linux kernel 2.6 before
        2.6.14.2, using CLONE_THREAD, does not use the thread group ID
        to check whether it is attaching to itself, which allows local
        users to cause a denial of service (crash).

Upstream fix at
http://linux.bkbits.net:8080/linux-2.6/cset@437a051edjJd4hepRSim3RmOtpXX5w

Comment 3 Roland McGrath 2006-01-05 01:15:53 UTC
This is a change to the user ABI and should not go into RHEL4.
The 2.6.14-stable branch upstream should not have put it in, IMHO.
Linus has decided that for 2.6.15 this ABI change is worth the risk and he'll
wait to hear users complain about it rather than worrying ahead of time.
We know from past reports that people have used ptrace in this way (one thread
to another within a process); such uses were probably ill-advised practice in
the first place, but if any exist in applications then changing this in RHEL4
would be a problem for customers.  There were various crash or leak bugs (DoS
potential) relating to this usage pattern, but AFAIK each individual problem has
been addressed upstream (and I think those fixes backported to RHEL4, though I
am not positive).  AIUI, the upstream change was not because there is any
current crash or DoS problem left, but because Linus decided it would be easier
to rule out the hairy class of usage patterns entirely than to worry about
stumbling across another such case since we already found and fixed a few cases
peculiar to this usage pattern.  If there are particular crash/leak/DoS failure
modes in RHEL4 ptrace use, those should be filed as specific bugs and addressed
directly.


Note You need to log in before you can comment on or make changes to this bug.