The auto-reap of child processes in Linux kernel 2.6 before 2.6.15 includes processes with ptrace attached, which leads to a dangling ptrace reference and allows local users to cause a denial of service (crash). Fixed upstream by http://linux.bkbits.net:8080/linux-2.6/cset@437a0568g4lPMynwmUw1ajvC2ZroDg
Created attachment 122347 [details] Proposed patch
I don't know of an existing test case unless one was posted on lkml. The way to produce the situation is to have a real parent that has set SIGCHLD to SIG_IGN, a child of that parent, a ptracer tracing the child, and then have the child die (e.g. kill -9 it). The bug here means that the tracer will not get a SIGCHLD, and the child will be reaped while the tracer is still attached. Note that if the tracer is already blocked in a wait* syscall, it will be woken up regardless of the bug, and so that might make it respond quickly enough to mask the effects of the bug. So, do not test using a tracer already blocked in wait* when the child dies; this is what the obvious sort of test using strace will do, and it may not be sufficient to clearly diagnose the bug.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0101.html