Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <m1k41adge1.fsf@fess.ebiederm.org>
Date: Fri, 20 Apr 2012 00:14:14 -0700
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Eugene Teo <eugeneteo@...nel.sg>
Cc: Marcus Meissner <meissner@...e.de>,  OSS Security List <oss-security@...ts.openwall.com>,  security@...nel.org,  Sukadev Bhattiprolu <sukadev@...ibm.com>,  Serge Hallyn <serge.hallyn@...onical.com>,  Pavel Emelyanov <xemul@...nvz.org>
Subject: Re: CVE request: pid namespace leak in kernel 3.0 and 3.1

Eugene Teo <eugeneteo@...nel.sg> writes:

>> So we know what is holding the pid namespace reference.
>>
>> Additional thoughts.
>>
>> Does echo 3 > /proc/sys/vm/drop_caches clear up the issue?
>
> No.
>
>> Is there a corresponding task_struct leak?
>
> Yes.

Hmm.  The zombies are reaped? 

I am scratching my head perhaps because I am looking at the current code
but I don't seem to see how a task that pins a pid can get past
release_task (the zombie reaper) and in particular past in release
__exit_signal() which calls unhash_process().

The simple test to see if we have made it past unhash_process is to see
if you can see the zombie processes.

> I'm helping to provide more information.

You are.  Thank you for looking to see what the symptoms are.

Eric

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.