Bug 496031 (CVE-2009-1338) - CVE-2009-1338 kernel: 'kill sig -1' must only apply to caller's pid namespace
Summary: CVE-2009-1338 kernel: 'kill sig -1' must only apply to caller's pid namespace
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2009-1338
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 496032
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-16 06:49 UTC by Eugene Teo (Security Response)
Modified: 2019-09-29 12:30 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-22 13:23:36 UTC


Attachments (Terms of Use)
Upstream patch (1.46 KB, patch)
2009-04-16 06:50 UTC, Eugene Teo (Security Response)
no flags Details | Diff
Patch for mrg-1 (594 bytes, patch)
2009-04-16 08:49 UTC, Eugene Teo (Security Response)
no flags Details | Diff
To be patched with comment #6 (2.64 KB, patch)
2009-04-21 02:36 UTC, Eugene Teo (Security Response)
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1081 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2009-06-03 15:36:49 UTC

Description Eugene Teo (Security Response) 2009-04-16 06:49:46 UTC
Description of problem:
Currently "kill <sig> -1" kills processes in all namespaces and breaks the
isolation of namespaces. Use "task_pid_vnr() > 1" to check since task_pid_vnr() returns 0 if process is outside the caller's namespace.

Upstream patch: http://git.kernel.org/linus/d25141a818383b3c3b09f065698c544a7a0ec6e7

Comment 1 Eugene Teo (Security Response) 2009-04-16 06:50:40 UTC
Created attachment 339796 [details]
Upstream patch

Comment 3 Eugene Teo (Security Response) 2009-04-16 06:54:54 UTC
PID namespaces is merged in 2.6.24. http://lwn.net/Articles/259217/

Comment 6 Eugene Teo (Security Response) 2009-04-16 08:49:33 UTC
Created attachment 339815 [details]
Patch for mrg-1

Comment 14 Eugene Teo (Security Response) 2009-04-21 02:33:27 UTC
(In reply to comment #12)
> We might need this patch too:
>  commit 44c4e1b2581f7273ab14ef30b6430618801c57b1
>  Author: Eric W. Biederman <ebiederm@xmission.com>
>  Date:   Fri Feb 8 04:19:15 2008 -0800
> 
>      pid: Extend/Fix pid_vnr  

Together with this patch:

[root@rhel5-server-i386 ~]# uname -a
Linux rhel5-server-i386 2.6.24.7-112.bz496032.el5 #1 SMP PREEMPT RT Mon Apr 20 04:12:17 EDT 2009 i686 i686 i386 GNU/Linux
[root@rhel5-server-i386 ~]# bash
[root@rhel5-server-i386 ~]# ps -e
  PID TTY          TIME CMD
    1 pts/0    00:00:00 bash
   33 pts/0    00:00:00 bash
   41 pts/0    00:00:00 ps
[root@rhel5-server-i386 ~]# /bin/kill -s SIGKILL -1
Killed
[root@rhel5-server-i386 ~]# ps -e
  PID TTY          TIME CMD
    1 pts/0    00:00:00 bash
   43 pts/0    00:00:00 ps
[root@rhel5-server-i386 ~]# /bin/kill -s SIGKILL -1
kill -1: No such process

The other observation I had in comment #7 is also fixed with this patch.

This is the expected behaviour. Thanks.

Comment 15 Eugene Teo (Security Response) 2009-04-21 02:36:50 UTC
Created attachment 340468 [details]
To be patched with comment #6

Comment 16 John Kacur 2009-05-18 14:32:48 UTC
First I tested with 2.6.29.3-15.el5rt to make sure I could get everything to work as expected, and it did.

Then I tested with2.6.24.7-115.el5rt and crashed the machine. After applying the patches from #15 and #6, then everything worked as expected.

Comment 17 errata-xmlrpc 2009-06-03 15:36:57 UTC
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1081 https://rhn.redhat.com/errata/RHSA-2009-1081.html


Note You need to log in before you can comment on or make changes to this bug.