Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752888Ab2KSWex (ORCPT ); Mon, 19 Nov 2012 17:34:53 -0500 Received: from mail-ob0-f174.google.com ([209.85.214.174]:62232 "EHLO mail-ob0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752017Ab2KSWev (ORCPT ); Mon, 19 Nov 2012 17:34:51 -0500 MIME-Version: 1.0 In-Reply-To: <1353337961-12962-8-git-send-email-ebiederm@xmission.com> References: <87lidx8wbo.fsf@xmission.com> <1353337961-12962-1-git-send-email-ebiederm@xmission.com> <1353337961-12962-8-git-send-email-ebiederm@xmission.com> Date: Mon, 19 Nov 2012 14:34:50 -0800 X-Google-Sender-Auth: jaRLD_So5yggDcH8uMAF6VTaqeY Message-ID: Subject: Re: [PATCH review 08/16] userns: Kill task_user_ns From: Kees Cook To: "Eric W. Biederman" Cc: Linux Containers , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, "Serge E. Hallyn" , James Morris Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1252 Lines: 34 On Mon, Nov 19, 2012 at 7:12 AM, Eric W. Biederman wrote: > From: "Eric W. Biederman" > > The task_user_ns function hides the fact that it is getting the user > namespace from struct cred on the task. struct cred may go away as > soon as the rcu lock is released. This leads to a race where we > can dereference a stale user namespace pointer. > > To make it obvious a struct cred is involved kill task_user_ns. > > To kill the race modify the users of task_user_ns to only > reference the user namespace while the rcu lock is held. > > Cc: Kees Cook > Cc: James Morris > Acked-by: Serge Hallyn > Signed-off-by: "Eric W. Biederman" Nice catch! This is disappointingly messy looking, but I do not see any sensible way to clean it up better than you've already done. Acked-by: Kees Cook -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/