On Mon, Nov 19, 2012 at 7:12 AM, Eric W. Biederman <ebied...@xmission.com> wrote: > From: "Eric W. Biederman" <ebied...@xmission.com> > > The task_user_ns function hides the fact that it is getting the user > namespace from struct cred on the task. struct cred may go away as > soon as the rcu lock is released. This leads to a race where we > can dereference a stale user namespace pointer. > > To make it obvious a struct cred is involved kill task_user_ns. > > To kill the race modify the users of task_user_ns to only > reference the user namespace while the rcu lock is held. > > Cc: Kees Cook <keesc...@chromium.org> > Cc: James Morris <james.l.mor...@oracle.com> > Acked-by: Serge Hallyn <serge.hal...@canonical.com> > Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com>
Nice catch! This is disappointingly messy looking, but I do not see any sensible way to clean it up better than you've already done. Acked-by: Kees Cook <keesc...@chromium.org> -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
