Debian Bug report logs - #419706
setrlimit(RLIMIT_CPUINFO) with zero value doesn't inherit properly across children

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Micah Cowan <micah@cowan.name>

To: submit@bugs.debian.org

Subject: setrlimit(RLIMIT_CPUINFO) with zero value doesn't inherit properly across children

Date: Tue, 17 Apr 2007 07:16:25 -0700

Package: kernel

This is in 2.6.20-3 and (Ubuntu) 2.6.20-15.

Full details may be found on the zsh-workers thread, here:
http://www.zsh.org/mla/workers/2007/msg00200.html

A bug for Ubuntu on launchpad is at
https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.20/+bug/107209

The following behavior was observed:

$ bash -c 'ulimit -t 0; ulimit -Ht; while :; do :; done'
0
Killed
$ bash -c 'ulimit -t 0; ulimit -Ht; (while :; do :; done)'
0
<loops forever>
$ bash -c 'ulimit -St 0; while :; do :; done'
CPU time limit exceeded (core dumped)
$ bash -c 'ulimit -St 0; (while :; do :; done)'
<loops forever>

David Peer suggested:

> but here is one rapid fix that solves the problem.
> 
> (you will not see the new limit of 1 sec but you'll still see it set to 0, but its 1 sec - believe me && try,
> 
> if you want to see it, fork another any shell and you'll see it....bug or feature?!)
> 
> Before the line: *old_rlim = new_rlim;
> 
> add:
> 
> if (resource == RLIMIT_CPU && new_rlim.rlim_cur == 0) {
>            /*
>             * The caller is asking for an immediate RLIMIT_CPU
>             * expiry. But we use the zero value to mean "it was
>             * never set". So let's cheat and make it one second
>             * instead
>             */
>            new_rlim.rlim_cur = 1;
>        }
> 
> You can remove the dumb if statement that does nothing cause the assignment occurs(*old_rlim = new_rlim) before
> 
> so it has no meaning! : if (rlim_cur == 0) {....}
> 
> David

Message #10 received at 419706@bugs.debian.org (full text, mbox, reply):

From: Micah Cowan <micah@cowan.name>

To: 419706@bugs.debian.org

Subject: Kernel patch submitted

Date: Tue, 17 Apr 2007 08:53:45 -0700

[Message part 1 (text/plain, inline)]

http://www.uwsg.indiana.edu/hypermail/linux/kernel/0704.2/0549.html

[linux-2.6.20.3-cpulimit.diff (text/x-patch, inline)]

Follows a trivial patch to check for RLIMIT_CPU to 0 in the right place.

diff -urN linux-2.6.20.3.orig/kernel/sys.c linux-2.6.20.3/kernel/sys.c
--- linux-2.6.20.3.orig/kernel/sys.c	2007-03-13 20:27:08.000000000 +0200
+++ linux-2.6.20.3/kernel/sys.c	2007-04-17 16:38:51.651236000 +0300
@@ -1916,6 +1916,16 @@
 	if (retval)
 		return retval;
 
+	if (resource == RLIMIT_CPU && new_rlim.rlim_cur == 0) {
+		/*
+		 * The caller is asking for an immediate RLIMIT_CPU
+		 * expiry.  But we use the zero value to mean "it was
+		 * never set".  So let's cheat and make it one second
+		 * instead
+		 */
+		new_rlim.rlim_cur = 1;
+	}
+
 	task_lock(current->group_leader);
 	*old_rlim = new_rlim;
 	task_unlock(current->group_leader);
@@ -1937,15 +1947,6 @@
 		unsigned long rlim_cur = new_rlim.rlim_cur;
 		cputime_t cputime;
 
-		if (rlim_cur == 0) {
-			/*
-			 * The caller is asking for an immediate RLIMIT_CPU
-			 * expiry.  But we use the zero value to mean "it was
-			 * never set".  So let's cheat and make it one second
-			 * instead
-			 */
-			rlim_cur = 1;
-		}
 		cputime = secs_to_cputime(rlim_cur);
 		read_lock(&tasklist_lock);
 		spin_lock_irq(&current->sighand->siglock);

Message #17 received at 419706-close@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@debian.org>

To: 419706-close@bugs.debian.org

Subject: Bug#419706: fixed in fai-kernels 1.17+etch.18etch2

Date: Tue, 27 May 2008 07:52:16 +0000

Source: fai-kernels
Source-Version: 1.17+etch.18etch2

We believe that the bug you reported is fixed in the latest version of
fai-kernels, which is due to be installed in the Debian FTP archive:

fai-kernels_1.17+etch.18etch2.dsc
  to pool/main/f/fai-kernels/fai-kernels_1.17+etch.18etch2.dsc
fai-kernels_1.17+etch.18etch2.tar.gz
  to pool/main/f/fai-kernels/fai-kernels_1.17+etch.18etch2.tar.gz
fai-kernels_1.17+etch.18etch2_i386.deb
  to pool/main/f/fai-kernels/fai-kernels_1.17+etch.18etch2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 419706@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
dann frazier <dannf@debian.org> (supplier of updated fai-kernels package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 21 Apr 2008 22:30:26 -0600
Source: fai-kernels
Binary: fai-kernels
Architecture: source i386
Version: 1.17+etch.18etch2
Distribution: stable-security
Urgency: high
Maintainer: Holger Levsen <holger@debian.org>
Changed-By: dann frazier <dannf@debian.org>
Description: 
 fai-kernels - special kernels for FAI (Fully Automatic Installation)
Closes: 419706
Changes: 
 fai-kernels (1.17+etch.18etch2) stable-security; urgency=high
 .
   * Rebuild against linux-source-2.6.18 (2.6.18.dfsg.1-18etch2):
     * bugfix/powerpc-chrp-null-deref.patch
       [SECURITY][powerpc] Fix NULL pointer dereference if get_property
       fails on the subarchitecture
       See CVE-2007-6694
     * bugfix/mmap-VM_DONTEXPAND.patch
       [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register
       a fault handler but do not bounds check the offset argument
       See CVE-2008-0007
     * bugfix/RLIMIT_CPU-earlier-checking.patch
       [SECURITY] Move check for an RLIMIT_CPU with a value of 0 earlier
       to prevent a user escape (closes: #419706)
       See CVE-2008-1294
     * bugfix/dnotify-race.patch
       [SECURITY] Fix a race in the directory notify
       See CVE-2008-1375
       This patch changes the ABI
     * Bump ABI to 7.
Files: 
 6f6faa132a53e808bcc61823d140290a 740 admin extra fai-kernels_1.17+etch.18etch2.dsc
 0a46d75b3ced870a96ea41b900f1ecaa 55185 admin extra fai-kernels_1.17+etch.18etch2.tar.gz
 0ce72fa3c9dfd208b1afa6912ffbcc3d 5518204 admin extra fai-kernels_1.17+etch.18etch2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIDXDXhuANDBmkLRkRAhG5AJ0cKDVFBdGxV7s0ox9lOqHr+T579gCfaGrU
rb2kYhB4vePypYS+p0Q3zmE=
=QcNl
-----END PGP SIGNATURE-----

Message #22 received at 419706-close@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@debian.org>

To: 419706-close@bugs.debian.org

Subject: Bug#419706: fixed in user-mode-linux 2.6.18-1um-2etch.18etch2

Date: Tue, 27 May 2008 07:52:22 +0000

Source: user-mode-linux
Source-Version: 2.6.18-1um-2etch.18etch2

We believe that the bug you reported is fixed in the latest version of
user-mode-linux, which is due to be installed in the Debian FTP archive:

user-mode-linux_2.6.18-1um-2etch.18etch2.diff.gz
  to pool/main/u/user-mode-linux/user-mode-linux_2.6.18-1um-2etch.18etch2.diff.gz
user-mode-linux_2.6.18-1um-2etch.18etch2.dsc
  to pool/main/u/user-mode-linux/user-mode-linux_2.6.18-1um-2etch.18etch2.dsc
user-mode-linux_2.6.18-1um-2etch.18etch2_i386.deb
  to pool/main/u/user-mode-linux/user-mode-linux_2.6.18-1um-2etch.18etch2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 419706@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
dann frazier <dannf@debian.org> (supplier of updated user-mode-linux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 21 Apr 2008 22:21:27 -0600
Source: user-mode-linux
Binary: user-mode-linux
Architecture: source i386
Version: 2.6.18-1um-2etch.18etch2
Distribution: stable-security
Urgency: high
Maintainer: User Mode Linux Maintainers <pkg-uml-pkgs@lists.alioth.debian.org>
Changed-By: dann frazier <dannf@debian.org>
Description: 
 user-mode-linux - User-mode Linux (kernel)
Closes: 419706
Changes: 
 user-mode-linux (2.6.18-1um-2etch.18etch2) stable-security; urgency=high
 .
   * Rebuild against linux-source-2.6.18 (2.6.18.dfsg.1-18etch2):
     * bugfix/powerpc-chrp-null-deref.patch
       [SECURITY][powerpc] Fix NULL pointer dereference if get_property
       fails on the subarchitecture
       See CVE-2007-6694
     * bugfix/mmap-VM_DONTEXPAND.patch
       [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register
       a fault handler but do not bounds check the offset argument
       See CVE-2008-0007
     * bugfix/RLIMIT_CPU-earlier-checking.patch
       [SECURITY] Move check for an RLIMIT_CPU with a value of 0 earlier
       to prevent a user escape (closes: #419706)
       See CVE-2008-1294
     * bugfix/dnotify-race.patch
       [SECURITY] Fix a race in the directory notify
       See CVE-2008-1375
       This patch changes the ABI
     * Bump ABI to 7.
Files: 
 52c602d55bdc301a0622ed8a63745f29 892 misc extra user-mode-linux_2.6.18-1um-2etch.18etch2.dsc
 868c1f27ad2c8db782bbd2bdc3618d70 16873 misc extra user-mode-linux_2.6.18-1um-2etch.18etch2.diff.gz
 6cc7cc34a241783bb8f3b2c9da7595a2 25583354 misc extra user-mode-linux_2.6.18-1um-2etch.18etch2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIDXH7huANDBmkLRkRAh1pAJwPMRWu2GYKkIITMQg9Eh6oZH9ClACfTfXp
1FVkv3s/E1OlO6+k9McycIk=
=VeoL
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.