oss-security - Re: CVE request: kernel: 'kill sig -1' must only apply to caller's PID namespace

Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Tue, 21 Apr 2009 10:42:28 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kernel: 'kill sig -1' must only apply
 to caller's PID namespace

Eugene Teo wrote:
> Eugene Teo wrote:
>> I came across this while reviewing some older upstream patches.
>>
>> Apparently, it was possible to run kill <sig> -1 to kill processes in
>> all PID namespaces, and break the isolation of namespaces. The expected
>> behaviour for this is to only kill processes in its own hierarchy. The
>> fix uses task_pid_vnr() to check if the process is outside of the
>> caller's namespace before killing.
> 
> I am still able to reproduce the problem even after applying this
> upstream patch (commit d25141a8). I'm still figuring out what other

Ok, you will need to make sure you have commit 44c4e1b2 too. I have
tested this on 2.6.24.7 with these two patches, and the problem is fixed.

https://bugzilla.redhat.com/show_bug.cgi?id=496031#c14

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.