Bug 174078 - [RHEL4] CVE-2005-3784 auto-reap DoS
[RHEL4] CVE-2005-3784 auto-reap DoS
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Peter Staubach
Brian Brock
: Security
Depends On:
Blocks: 168430
  Show dependency treegraph
Reported: 2005-11-24 05:54 EST by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2006-0101
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-01-17 03:35:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed patch (401 bytes, patch)
2005-12-16 14:35 EST, Peter Staubach
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2005-11-24 05:54:33 EST
The auto-reap of child processes in Linux kernel 2.6 before
        2.6.15 includes processes with ptrace attached, which leads to
        a dangling ptrace reference and allows local users to cause a
        denial of service (crash).

Fixed upstream by
Comment 3 Peter Staubach 2005-12-16 14:35:09 EST
Created attachment 122347 [details]
Proposed patch
Comment 5 Roland McGrath 2006-01-04 20:28:38 EST
I don't know of an existing test case unless one was posted on lkml.
The way to produce the situation is to have a real parent that has set SIGCHLD
to SIG_IGN, a child of that parent, a ptracer tracing the child, and then have
the child die (e.g. kill -9 it).  The bug here means that the tracer will not
get a SIGCHLD, and the child will be reaped while the tracer is still attached.
 Note that if the tracer is already blocked in a wait* syscall, it will be woken
up regardless of the bug, and so that might make it respond quickly enough to
mask the effects of the bug.  So, do not test using a tracer already blocked in
wait* when the child dies; this is what the obvious sort of test using strace
will do, and it may not be sufficient to clearly diagnose the bug.
Comment 10 Red Hat Bugzilla 2006-01-17 03:35:15 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.