Linux kernel 2.6.18: do_coredump() vs ptrace_start() deadlock

2009-07-06 / 2009-07-07
Credit: Eugene Teo
Risk: High
Local: No
Remote: Yes
CWE: CWE-362


CVSS Base Score: 4.9/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

The OpenVZ Linux kernel team has found deadlock between ptrace and coredump code. It affects 2.6.18 but does not affect the upstream kernel. "ptrace_start() spins waiting for child->state == TASK_TRACED/TASK_STOPPED. If we race with the coredumping, we have to wait until it completes. If the tracer participates in coredumping too, we deadlock. do_coredump() waits for tracer to exit and report complete(mm->core_startup_done), the tracer spins in an endless loop. Change ptrace_start() to abort if child->mm->core_waiters != 0." Patch: https://bugzilla.redhat.com/attachment.cgi?id=346742 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1388

References:

https://bugzilla.redhat.com/show_bug.cgi?id=504263
https://bugzilla.redhat.com/attachment.cgi?id=346742
https://bugzilla.redhat.com/attachment.cgi?id=346615


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top