** Changed in: linux-lts-backport-natty (Ubuntu Lucid) Status: In Progress => Fix Committed
** Changed in: linux-mvl-dove (Ubuntu Lucid) Status: In Progress => Fix Committed ** Changed in: linux-mvl-dove (Ubuntu Maverick) Status: In Progress => Fix Committed ** Changed in: linux-lts-backport-maverick (Ubuntu Lucid) Status: In Progress => Fix Committed ** Changed in: linux-ti-omap4 (Ubuntu Oneiric) Status: In Progress => Fix Committed ** Description changed: The add_del_listener function in kernel/taskstats.c in the Linux kernel 2.6.39.1 and earlier does not prevent multiple registrations of exit - handlers, which allows local users to cause a denial of service (memory and - CPU consumption), and bypass the OOM Killer, via a crafted application. + handlers, which allows local users to cause a denial of service (memory + and CPU consumption), and bypass the OOM Killer, via a crafted + application. Fixed-by: 26c4caea9d697043cc5a458b96411b86d7f6babd - - commit 26c4caea9d697043cc5a458b96411b86d7f6babd - Author: Vasiliy Kulikov <seg...@openwall.com> - Date: Mon Jun 27 16:18:11 2011 -0700 - - taskstats: don't allow duplicate entries in listener mode - - Currently a single process may register exit handlers unlimited times. - It may lead to a bloated listeners chain and very slow process - terminations. - - Eg after 10KK sent TASKSTATS_CMD_ATTR_REGISTER_CPUMASKs ~300 Mb of - kernel memory is stolen for the handlers chain and "time id" shows 2-7 - seconds instead of normal 0.003. It makes it possible to exhaust all - kernel memory and to eat much of CPU time by triggerring numerous exits - on a single CPU. - - The patch limits the number of times a single process may register - itself on a single CPU to one. - - One little issue is kept unfixed - as taskstats_exit() is called before - exit_files() in do_exit(), the orphaned listener entry (if it was not - explicitly deregistered) is kept until the next someone's exit() and - implicit deregistration in send_cpu_listeners(). So, if a process - registered itself as a listener exits and the next spawned process gets - the same pid, it would inherit taskstats attributes. - - Signed-off-by: Vasiliy Kulikov <sego...@gmail.com> - Cc: Balbir Singh <bsinghar...@gmail.com> - Cc: <sta...@kernel.org> - Signed-off-by: Andrew Morton <a...@linux-foundation.org> - Signed-off-by: Linus Torvalds <torva...@linux-foundation.org> -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/806390 Title: CVE-2011-2484 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/806390/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs