oss-sec mailing list archives
Re: CVE REQUEST: linux kernel: process with pgid zero able to crash kernel
From: Harshula <harshula () redhat com>
Date: Fri, 20 Jan 2017 21:39:41 +1100
Hi Greg, On Fri, 2017-01-20 at 09:26 +0100, Greg KH wrote:
On Fri, Jan 20, 2017 at 01:41:52PM +1100, Harshula wrote:Hi Folks, Red Hat Product Security has been notified of a kernel vulnerability that a local attacker can exploit to crash/panic the kernel and cause a denial of service. This was reported to Red Hat by Jesse Hertz (CC'd) (reproducer: rt411016): "A process that is in the same process group as the ``init'' process (group id zero) can crash the Linux 2 kernel with several system calls by passing in a process ID or process group ID of zero. The value zero is a special value that indicates the current process ID or process group. However, in this case it is also the process group ID of the process." I've been testing whether RHEL is vulnerable and found the following: * Upstream/mainline is not vulnerableIs this true for the mainline kernel tree that RHEL 6 was based on?* RHEL 7 is not vulnerable * RHEL 6 is vulnerable * RHEL 5 is partially vulnerableSo this is only due to a specific set of patches that were added to RHEL 6 and RHEL 5 yet never made it upstream? I ask as we want to make sure some of the older LTS mainline kernels might be affected and it would be good to ensure they are not.
Good questions, I had not looked at it from a mainline timeline perspective. 1) Mainline kernels containing patches [a], [b] and [c] are not vulnerable. 2) The vulnerability is *NOT* due to non-upstream patches that went into RHEL 5 and/or 6. 3) I suspect some older LTS mainline kernels that branched off mainline/upstream at around the same time as RHEL 6 would be vulnerable. Check if the data structure fields, corresponding to the initialization changes in patch [a], [b] and [c], are initialized the same way in the LTS mainline kernels you maintain. 4) For any RHEL 5 vintage LTS mainline kernels, see if task_struct's thread_group field is not initialised. If so, it is likely partially vulnerable and could do with a strong dose of patch [c]. Regards, Harshula [a] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/com mit/?id=f106eee10038c2ee5b6056aaf3f6d5229be6dcdd [b] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/com mit/?id=f20011457f41c11edb5ea5038ad0c8ea9f392023 [c] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/com mit/?id=fa2755e20ab0c7215d99c2dc7c262e98a09b01df
Current thread:
- CVE REQUEST: linux kernel: process with pgid zero able to crash kernel Harshula (Jan 19)
- Re: CVE REQUEST: linux kernel: process with pgid zero able to crash kernel Greg KH (Jan 20)
- Re: CVE REQUEST: linux kernel: process with pgid zero able to crash kernel Harshula (Jan 20)
- Re: CVE REQUEST: linux kernel: process with pgid zero able to crash kernel Brad Spengler (Jan 20)
- Re: CVE REQUEST: linux kernel: process with pgid zero able to crash kernel Greg KH (Jan 20)
- Re: CVE REQUEST: linux kernel: process with pgid zero able to crash kernel cve-assign (Jan 20)
- Re: CVE REQUEST: linux kernel: process with pgid zero able to crash cve-assign (Jan 20)
- Re: CVE REQUEST: linux kernel: process with pgid zero able to crash kernel Greg KH (Jan 20)