httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [PATCH] pid safety checks for 2.2.x
Date Fri, 29 Jun 2007 14:10:32 GMT
On Wed, Jun 27, 2007 at 04:42:38PM -0400, Jim Jagielski wrote:
> I might be missing this (just did a quick scan) but
> what about ap_reclaim_child_processes/reclaim_one_pid()?
> Here we "trust" the pid in the scoreboard and
> send signals.

I'd said in the other thread that this wasn't an attack vector (and 
hence 2.0.x wasn't vulnerable), because it already goes through a 
waitpid() before a kill().  Having looked it again on your prompting 
there is a cute way to exploit it: using a pid of -1 will have waitpid() 
wait for any child, which can easily succeed with "not done", and then 
passing a pid of -1 to kill is... kind of nasty, especially for root.  
So I fixed that also in the commit to the trunk.

I haven't forgotten 1.3, and will submit 2.0/2.2 backports for review 
shortly!

joe

Mime
View raw message