[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    Re: PID table changes (was Re: svn commit: r547987 - in /httpd/httpd/trunk)
From:       Joe Orton <jorton () redhat ! com>
Date:       2007-06-22 16:23:53
Message-ID: 20070622162353.GA15396 () redhat ! com
[Download RAW message or body]

Looking at this further:

I can't actually see any exploit path here at all in 2.0.x prefork:

PSNC folks; in your report, "PoC #3 SIGUSR1 killer #1 (Apache 2.x)" 
concerns the "graceful shutdown" code, which is only present in 2.2.x, 
not 2.0.x.

The ap_reclaim_child_processes() path changed in SVN can't be an attack 
vector: all it does, by intent, is kill children of the parent.  The 
implementation guarantees that it will not kill any other process: 
waitpid() fails with ESRCH if passed a non-child pid.  reclaim_one_pid() 
will only kill the pid if waitpid returns zero.

The only kill() call in 2.0 prefork.c itself is in reap_children(), 
which is dead code.

joe

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic