[Bug 806390] Re: CVE-2011-2484

Kees Cook Mon, 01 Aug 2011 20:26:46 -0700

** Changed in: linux-lts-backport-natty (Ubuntu Lucid)
       Status: In Progress => Fix Committed


** Changed in: linux-mvl-dove (Ubuntu Lucid)
       Status: In Progress => Fix Committed

** Changed in: linux-mvl-dove (Ubuntu Maverick)
       Status: In Progress => Fix Committed

** Changed in: linux-lts-backport-maverick (Ubuntu Lucid)
       Status: In Progress => Fix Committed

** Changed in: linux-ti-omap4 (Ubuntu Oneiric)
       Status: In Progress => Fix Committed

** Description changed:

  The add_del_listener function in kernel/taskstats.c in the Linux kernel
  2.6.39.1 and earlier does not prevent multiple registrations of exit
- handlers, which allows local users to cause a denial of service (memory and
- CPU consumption), and bypass the OOM Killer, via a crafted application.
+ handlers, which allows local users to cause a denial of service (memory
+ and CPU consumption), and bypass the OOM Killer, via a crafted
+ application.
  
  Fixed-by: 26c4caea9d697043cc5a458b96411b86d7f6babd
- 
-   commit 26c4caea9d697043cc5a458b96411b86d7f6babd
-   Author: Vasiliy Kulikov <seg...@openwall.com>
-   Date:   Mon Jun 27 16:18:11 2011 -0700
- 
-     taskstats: don't allow duplicate entries in listener mode
-     
-     Currently a single process may register exit handlers unlimited times.
-     It may lead to a bloated listeners chain and very slow process
-     terminations.
-     
-     Eg after 10KK sent TASKSTATS_CMD_ATTR_REGISTER_CPUMASKs ~300 Mb of
-     kernel memory is stolen for the handlers chain and "time id" shows 2-7
-     seconds instead of normal 0.003.  It makes it possible to exhaust all
-     kernel memory and to eat much of CPU time by triggerring numerous exits
-     on a single CPU.
-     
-     The patch limits the number of times a single process may register
-     itself on a single CPU to one.
-     
-     One little issue is kept unfixed - as taskstats_exit() is called before
-     exit_files() in do_exit(), the orphaned listener entry (if it was not
-     explicitly deregistered) is kept until the next someone's exit() and
-     implicit deregistration in send_cpu_listeners().  So, if a process
-     registered itself as a listener exits and the next spawned process gets
-     the same pid, it would inherit taskstats attributes.
-     
-     Signed-off-by: Vasiliy Kulikov <sego...@gmail.com>
-     Cc: Balbir Singh <bsinghar...@gmail.com>
-     Cc: <sta...@kernel.org>
-     Signed-off-by: Andrew Morton <a...@linux-foundation.org>
-     Signed-off-by: Linus Torvalds <torva...@linux-foundation.org>

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/806390

Title:
  CVE-2011-2484

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/806390/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 806390] Re: CVE-2011-2484

Reply via email to