On Mon, Nov 19, 2012 at 7:12 AM, Eric W. Biederman <[email protected]> wrote: > From: "Eric W. Biederman" <[email protected]> > > The task_user_ns function hides the fact that it is getting the user > namespace from struct cred on the task. struct cred may go away as > soon as the rcu lock is released. This leads to a race where we > can dereference a stale user namespace pointer. > > To make it obvious a struct cred is involved kill task_user_ns. > > To kill the race modify the users of task_user_ns to only > reference the user namespace while the rcu lock is held. > > Cc: Kees Cook <[email protected]> > Cc: James Morris <[email protected]> > Acked-by: Serge Hallyn <[email protected]> > Signed-off-by: "Eric W. Biederman" <[email protected]>
Nice catch! This is disappointingly messy looking, but I do not see any sensible way to clean it up better than you've already done. Acked-by: Kees Cook <[email protected]> -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
