The ptrace functionality (ptrace.c) in Linux kernel 2.6 before
220.127.116.11, using CLONE_THREAD, does not use the thread group ID
to check whether it is attaching to itself, which allows local
users to cause a denial of service (crash).
Upstream fix at
This is a change to the user ABI and should not go into RHEL4.
The 2.6.14-stable branch upstream should not have put it in, IMHO.
Linus has decided that for 2.6.15 this ABI change is worth the risk and he'll
wait to hear users complain about it rather than worrying ahead of time.
We know from past reports that people have used ptrace in this way (one thread
to another within a process); such uses were probably ill-advised practice in
the first place, but if any exist in applications then changing this in RHEL4
would be a problem for customers. There were various crash or leak bugs (DoS
potential) relating to this usage pattern, but AFAIK each individual problem has
been addressed upstream (and I think those fixes backported to RHEL4, though I
am not positive). AIUI, the upstream change was not because there is any
current crash or DoS problem left, but because Linus decided it would be easier
to rule out the hairy class of usage patterns entirely than to worry about
stumbling across another such case since we already found and fixed a few cases
peculiar to this usage pattern. If there are particular crash/leak/DoS failure
modes in RHEL4 ptrace use, those should be filed as specific bugs and addressed