132733 – (CVE-2005-3106) VUL-0: CVE-2005-3106: kernel: local dos with CLONE_VM threads and core dumping

Bug 132733 (CVE-2005-3106) - VUL-0: CVE-2005-3106: kernel: local dos with CLONE_VM threads and core dumping

Summary: VUL-0: CVE-2005-3106: kernel: local dos with CLONE_VM threads and core dumping

Status:	RESOLVED WONTFIX

Alias:	CVE-2005-3106

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Gerd Hoffmann
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2005-3106: CVSS v2 Base Score: 1....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2005-11-08 16:02 UTC by Marcus Meissner
Modified:	2021-11-22 10:26 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2005-11-08 16:02:12 UTC

CVE-2005-3106

Race condition in Linux 2.6, when threads are sharing memory mapping via CLONE_VM (such as linuxthreads and vfork), might allow local users to cause a denial of service (deadlock) by triggering a core dump while waiting for a thread that has just performed an exec.

http://linux.bkbits.net:8080/linux-2.6/diffs/fs/exec.c@1.156?nav=index.html|src/|src/fs|hist/fs/exec.c

Comment 1 Marcus Meissner 2005-11-08 16:02:42 UTC

not sure if it affects us at all, have to cross check.

Comment 2 Olaf Kirch 2005-11-09 12:04:45 UTC

Chris, can you assign this to someone in your team please?

Comment 3 Chris L Mason 2005-11-14 05:43:46 UTC

Gerd, please take this one as well.

Comment 4 Gerd Hoffmann 2005-11-14 10:52:52 UTC

Pretty much the same low impact as bug #132731, i.e. the deadlock affects the threaded task only, not the whole system.  Backport looks trivial though, the fix likely applies as-is to sles9.  Also made it into 2.6.11 mainline.  What to do?

Comment 5 Marcus Meissner 2005-11-14 11:00:27 UTC

This lonely up() confuses me a bit.

But I think it is as minor issue as the bug #132731, so lets lay it at rest.

Comment 6 Gerd Hoffmann 2005-11-14 11:12:43 UTC

The patch adds a matching down() in the other (completely new) "if (old_mm)" block.

With the patch added the code between the first and second patch chunk runs with a read lock on old_mm->mmap_sem, which closes the race window.

Comment 7 Thomas Biege 2009-10-13 21:48:42 UTC

CVE-2005-3106: CVSS v2 Base Score: 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P)