Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 20 Jan 2017 12:14:38 +0100
From: Greg KH <greg@...ah.com>
To: Harshula <harshula@...hat.com>
Cc: oss-security@...ts.openwall.com,
	Jesse Hertz <Jesse.Hertz@...group.trust>,
	Wade Mealing <wmealing@...hat.com>
Subject: Re: CVE REQUEST: linux kernel: process with pgid zero
 able to crash kernel

On Fri, Jan 20, 2017 at 09:39:41PM +1100, Harshula wrote:
> Hi Greg,
> 
> On Fri, 2017-01-20 at 09:26 +0100, Greg KH wrote:
> > On Fri, Jan 20, 2017 at 01:41:52PM +1100, Harshula wrote:
> > > Hi Folks,
> > > 
> > > Red Hat Product Security has been notified of a kernel vulnerability
> > > that a local attacker can exploit to crash/panic the kernel and cause a
> > > denial of service.
> > > 
> > > This was reported to Red Hat by Jesse Hertz (CC'd) (reproducer:
> > > rt411016):
> > > 
> > > "A process that is in the same process group as the ``init'' process
> > > (group id zero) can crash the Linux 2 kernel with several system calls
> > > by passing in a process ID or process group ID of zero. The value zero
> > > is a special value that indicates the current process ID or process
> > > group. However, in this case it is also the process group ID of the
> > > process."
> > > 
> > > I've been testing whether RHEL is vulnerable and found the following:
> > > 
> > > * Upstream/mainline is not vulnerable
> > 
> > Is this true for the mainline kernel tree that RHEL 6 was based on?
> > 
> > > * RHEL 7 is not vulnerable
> > > * RHEL 6 is vulnerable
> > > * RHEL 5 is partially vulnerable
> > 
> > So this is only due to a specific set of patches that were added to RHEL
> > 6 and RHEL 5 yet never made it upstream?  I ask as we want to make sure
> > some of the older LTS mainline kernels might be affected and it would be
> > good to ensure they are not.
> 
> Good questions, I had not looked at it from a mainline timeline
> perspective.
> 
> 1) Mainline kernels containing patches [a], [b] and [c] are not
> vulnerable.

Ah, nice, all of these showed up in the 2.6.35-rc1 release.  Any distro
based on something older than that needs to worry here.

Thanks for the details.

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.