This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 496031 - (CVE-2009-1338) CVE-2009-1338 kernel: 'kill sig -1' must only apply to caller's pid namespace
CVE-2009-1338 kernel: 'kill sig -1' must only apply to caller's pid namespace
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20081029,impact=moderate,repor...
: Security
Depends On: 496032
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-16 02:49 EDT by Eugene Teo (Security Response)
Modified: 2016-04-22 09:23 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-22 09:23:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Upstream patch (1.46 KB, patch)
2009-04-16 02:50 EDT, Eugene Teo (Security Response)
no flags Details | Diff
Patch for mrg-1 (594 bytes, patch)
2009-04-16 04:49 EDT, Eugene Teo (Security Response)
no flags Details | Diff
To be patched with comment #6 (2.64 KB, patch)
2009-04-20 22:36 EDT, Eugene Teo (Security Response)
no flags Details | Diff

  None (edit)
Description Eugene Teo (Security Response) 2009-04-16 02:49:46 EDT
Description of problem:
Currently "kill <sig> -1" kills processes in all namespaces and breaks the
isolation of namespaces. Use "task_pid_vnr() > 1" to check since task_pid_vnr() returns 0 if process is outside the caller's namespace.

Upstream patch: http://git.kernel.org/linus/d25141a818383b3c3b09f065698c544a7a0ec6e7
Comment 1 Eugene Teo (Security Response) 2009-04-16 02:50:40 EDT
Created attachment 339796 [details]
Upstream patch
Comment 3 Eugene Teo (Security Response) 2009-04-16 02:54:54 EDT
PID namespaces is merged in 2.6.24. http://lwn.net/Articles/259217/
Comment 6 Eugene Teo (Security Response) 2009-04-16 04:49:33 EDT
Created attachment 339815 [details]
Patch for mrg-1
Comment 14 Eugene Teo (Security Response) 2009-04-20 22:33:27 EDT
(In reply to comment #12)
> We might need this patch too:
>  commit 44c4e1b2581f7273ab14ef30b6430618801c57b1
>  Author: Eric W. Biederman <ebiederm@xmission.com>
>  Date:   Fri Feb 8 04:19:15 2008 -0800
> 
>      pid: Extend/Fix pid_vnr  

Together with this patch:

[root@rhel5-server-i386 ~]# uname -a
Linux rhel5-server-i386 2.6.24.7-112.bz496032.el5 #1 SMP PREEMPT RT Mon Apr 20 04:12:17 EDT 2009 i686 i686 i386 GNU/Linux
[root@rhel5-server-i386 ~]# bash
[root@rhel5-server-i386 ~]# ps -e
  PID TTY          TIME CMD
    1 pts/0    00:00:00 bash
   33 pts/0    00:00:00 bash
   41 pts/0    00:00:00 ps
[root@rhel5-server-i386 ~]# /bin/kill -s SIGKILL -1
Killed
[root@rhel5-server-i386 ~]# ps -e
  PID TTY          TIME CMD
    1 pts/0    00:00:00 bash
   43 pts/0    00:00:00 ps
[root@rhel5-server-i386 ~]# /bin/kill -s SIGKILL -1
kill -1: No such process

The other observation I had in comment #7 is also fixed with this patch.

This is the expected behaviour. Thanks.
Comment 15 Eugene Teo (Security Response) 2009-04-20 22:36:50 EDT
Created attachment 340468 [details]
To be patched with comment #6
Comment 16 John Kacur 2009-05-18 10:32:48 EDT
First I tested with 2.6.29.3-15.el5rt to make sure I could get everything to work as expected, and it did.

Then I tested with2.6.24.7-115.el5rt and crashed the machine. After applying the patches from #15 and #6, then everything worked as expected.
Comment 17 errata-xmlrpc 2009-06-03 11:36:57 EDT
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1081 https://rhn.redhat.com/errata/RHSA-2009-1081.html

Note You need to log in before you can comment on or make changes to this bug.