Bug 496031 (CVE-2009-1338) - CVE-2009-1338 kernel: 'kill sig -1' must only apply to caller's pid namespace
Summary: CVE-2009-1338 kernel: 'kill sig -1' must only apply to caller's pid namespace
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2009-1338
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 496032
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-16 06:49 UTC by Eugene Teo (Security Response)
Modified: 2021-11-12 19:57 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-22 13:23:36 UTC
Embargoed:

Attachments (Terms of Use)
Upstream patch (1.46 KB, patch)
2009-04-16 06:50 UTC, Eugene Teo (Security Response) 		no flags Details | Diff
Patch for mrg-1 (594 bytes, patch)
2009-04-16 08:49 UTC, Eugene Teo (Security Response) 		no flags Details | Diff
To be patched with comment #6 (2.64 KB, patch)
2009-04-21 02:36 UTC, Eugene Teo (Security Response) 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1081 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2009-06-03 15:36:49 UTC

Description Eugene Teo (Security Response) 2009-04-16 06:49:46 UTC 
Description of problem:
Currently "kill <sig> -1" kills processes in all namespaces and breaks the
isolation of namespaces. Use "task_pid_vnr() > 1" to check since task_pid_vnr() returns 0 if process is outside the caller's namespace.

Upstream patch: http://git.kernel.org/linus/d25141a818383b3c3b09f065698c544a7a0ec6e7
Comment 1 Eugene Teo (Security Response) 2009-04-16 06:50:40 UTC 
Created attachment 339796 [details]
Upstream patch
Comment 3 Eugene Teo (Security Response) 2009-04-16 06:54:54 UTC 
PID namespaces is merged in 2.6.24. http://lwn.net/Articles/259217/
Comment 6 Eugene Teo (Security Response) 2009-04-16 08:49:33 UTC 
Created attachment 339815 [details]
Patch for mrg-1
Comment 14 Eugene Teo (Security Response) 2009-04-21 02:33:27 UTC 
(In reply to comment #12)
> We might need this patch too:
>  commit 44c4e1b2581f7273ab14ef30b6430618801c57b1
>  Author: Eric W. Biederman <ebiederm>
>  Date:   Fri Feb 8 04:19:15 2008 -0800
> 
>      pid: Extend/Fix pid_vnr  

Together with this patch:

[root@rhel5-server-i386 ~]# uname -a
Linux rhel5-server-i386 2.6.24.7-112.bz496032.el5 #1 SMP PREEMPT RT Mon Apr 20 04:12:17 EDT 2009 i686 i686 i386 GNU/Linux
[root@rhel5-server-i386 ~]# bash
[root@rhel5-server-i386 ~]# ps -e
  PID TTY          TIME CMD
    1 pts/0    00:00:00 bash
   33 pts/0    00:00:00 bash
   41 pts/0    00:00:00 ps
[root@rhel5-server-i386 ~]# /bin/kill -s SIGKILL -1
Killed
[root@rhel5-server-i386 ~]# ps -e
  PID TTY          TIME CMD
    1 pts/0    00:00:00 bash
   43 pts/0    00:00:00 ps
[root@rhel5-server-i386 ~]# /bin/kill -s SIGKILL -1
kill -1: No such process

The other observation I had in comment #7 is also fixed with this patch.

This is the expected behaviour. Thanks.
Comment 15 Eugene Teo (Security Response) 2009-04-21 02:36:50 UTC 
Created attachment 340468 [details]
To be patched with comment #6
Comment 16 John Kacur 2009-05-18 14:32:48 UTC 
First I tested with 2.6.29.3-15.el5rt to make sure I could get everything to work as expected, and it did.

Then I tested with2.6.24.7-115.el5rt and crashed the machine. After applying the patches from #15 and #6, then everything worked as expected.
Comment 17 errata-xmlrpc 2009-06-03 15:36:57 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1081 https://rhn.redhat.com/errata/RHSA-2009-1081.html
Note You need to log in before you can comment on or make changes to this bug.