On Mon, Nov 19, 2012 at 7:12 AM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > From: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> > > The task_user_ns function hides the fact that it is getting the user > namespace from struct cred on the task. struct cred may go away as > soon as the rcu lock is released. This leads to a race where we > can dereference a stale user namespace pointer. > > To make it obvious a struct cred is involved kill task_user_ns. > > To kill the race modify the users of task_user_ns to only > reference the user namespace while the rcu lock is held. > > Cc: Kees Cook <keescook@xxxxxxxxxxxx> > Cc: James Morris <james.l.morris@xxxxxxxxxx> > Acked-by: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> > Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> Nice catch! This is disappointingly messy looking, but I do not see any sensible way to clean it up better than you've already done. Acked-by: Kees Cook <keescook@xxxxxxxxxxxx> -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
