Red Hat Bugzilla – Bug 174075
[RHEL4] CVE-2005-3783 ptrace DoS
Last modified: 2007-11-30 17:07:21 EST
The ptrace functionality (ptrace.c) in Linux kernel 2.6 before 2.6.14.2, using CLONE_THREAD, does not use the thread group ID to check whether it is attaching to itself, which allows local users to cause a denial of service (crash). Upstream fix at http://linux.bkbits.net:8080/linux-2.6/cset@437a051edjJd4hepRSim3RmOtpXX5w
This is a change to the user ABI and should not go into RHEL4. The 2.6.14-stable branch upstream should not have put it in, IMHO. Linus has decided that for 2.6.15 this ABI change is worth the risk and he'll wait to hear users complain about it rather than worrying ahead of time. We know from past reports that people have used ptrace in this way (one thread to another within a process); such uses were probably ill-advised practice in the first place, but if any exist in applications then changing this in RHEL4 would be a problem for customers. There were various crash or leak bugs (DoS potential) relating to this usage pattern, but AFAIK each individual problem has been addressed upstream (and I think those fixes backported to RHEL4, though I am not positive). AIUI, the upstream change was not because there is any current crash or DoS problem left, but because Linus decided it would be easier to rule out the hairy class of usage patterns entirely than to worry about stumbling across another such case since we already found and fixed a few cases peculiar to this usage pattern. If there are particular crash/leak/DoS failure modes in RHEL4 ptrace use, those should be filed as specific bugs and addressed directly.