Bug 302921 - (CVE-2006-6921) CVE-2006-6921 kernel: denial of service with wedged processes
CVE-2006-6921 kernel: denial of service with wedged processes
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 221403 221414 229882 302931
  Show dependency treegraph
Reported: 2007-09-24 06:55 EDT by Mark J. Cox (Product Security)
Modified: 2011-09-29 12:42 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-09-29 12:42:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2007-09-24 06:55:36 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2006-6921 to the following vulnerability:

Unspecified versions of the Linux kernel allows local users to cause a denial of service (unrecoverable zombie process) via a program with certain instructions that prevent init from properly reaping a child whose parent has died.


Comment 1 Mark J. Cox (Product Security) 2007-09-24 06:56:36 EDT
From Albert Cahalan:

Normally, when a process dies it becomes a zombie. If the parent dies (before or
after the child), the child is adopted by init. Init will reap the child.

The program included below DOES NOT get reaped.

Do like so:

gcc -m32 -O2 -std=gnu99 -o foo foo.c
while true; do killall -9 foo; ./foo; sleep 1; done

BTW, it gets even better if you start playing with ptrace. Use the "strace"
program (following children) and/or start sending rapid-fire SIGKILL to all the
various _threads_ in the processes. You can get processes wedged in a wide
variety of interesting states. I've seen "X" state, processes sitting around
with pending SIGKILL, a process stuck in "D" state supposedly core dumping
despite ulimit 0 on the core size, etc.
Comment 4 Mark J. Cox (Product Security) 2007-09-24 07:00:38 EDT
This issue does not affect versions of kernels shipped in RHEL2.1 or RHEL3.
Comment 8 Kurt Seifried 2011-09-29 12:42:56 EDT
All children bugs have been closed, parent is no longer needed.

Note You need to log in before you can comment on or make changes to this bug.