Re: CVE REQUEST: linux kernel: process with pgid zero able to crash kernel

[Greg KH <greg () kroah com>]

On Fri, Jan 20, 2017 at 09:39:41PM +1100, Harshula wrote:
> Hi Greg,
>
> On Fri, 2017-01-20 at 09:26 +0100, Greg KH wrote:
> > On Fri, Jan 20, 2017 at 01:41:52PM +1100, Harshula wrote:
> > > Hi Folks,
> > >
> > > Red Hat Product Security has been notified of a kernel vulnerability
> > > that a local attacker can exploit to crash/panic the kernel and cause a
> > > denial of service.
> > >
> > > This was reported to Red Hat by Jesse Hertz (CC'd) (reproducer:
> > > rt411016):
> > >
> > > "A process that is in the same process group as the ``init'' process
> > > (group id zero) can crash the Linux 2 kernel with several system calls
> > > by passing in a process ID or process group ID of zero. The value zero
> > > is a special value that indicates the current process ID or process
> > > group. However, in this case it is also the process group ID of the
> > > process."
> > >
> > > I've been testing whether RHEL is vulnerable and found the following:
> > >
> > > * Upstream/mainline is not vulnerable
> >
> > Is this true for the mainline kernel tree that RHEL 6 was based on?
> >
> > > * RHEL 7 is not vulnerable
> > > * RHEL 6 is vulnerable
> > > * RHEL 5 is partially vulnerable
> >
> > So this is only due to a specific set of patches that were added to RHEL
> > 6 and RHEL 5 yet never made it upstream?  I ask as we want to make sure
> > some of the older LTS mainline kernels might be affected and it would be
> > good to ensure they are not.
>
> Good questions, I had not looked at it from a mainline timeline
> perspective.
>
> 1) Mainline kernels containing patches [a], [b] and [c] are not
> vulnerable.

Ah, nice, all of these showed up in the 2.6.35-rc1 release.  Any distro
based on something older than that needs to worry here.

Thanks for the details.

greg k-h