From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kees Cook Subject: Re: [PATCH review 08/16] userns: Kill task_user_ns Date: Mon, 19 Nov 2012 14:34:50 -0800 Message-ID: References: <87lidx8wbo.fsf@xmission.com> <1353337961-12962-1-git-send-email-ebiederm@xmission.com> <1353337961-12962-8-git-send-email-ebiederm@xmission.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Linux Containers , linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, James Morris To: "Eric W. Biederman" Return-path: In-Reply-To: <1353337961-12962-8-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org List-Id: linux-fsdevel.vger.kernel.org On Mon, Nov 19, 2012 at 7:12 AM, Eric W. Biederman wrote: > From: "Eric W. Biederman" > > The task_user_ns function hides the fact that it is getting the user > namespace from struct cred on the task. struct cred may go away as > soon as the rcu lock is released. This leads to a race where we > can dereference a stale user namespace pointer. > > To make it obvious a struct cred is involved kill task_user_ns. > > To kill the race modify the users of task_user_ns to only > reference the user namespace while the rcu lock is held. > > Cc: Kees Cook > Cc: James Morris > Acked-by: Serge Hallyn > Signed-off-by: "Eric W. Biederman" Nice catch! This is disappointingly messy looking, but I do not see any sensible way to clean it up better than you've already done. Acked-by: Kees Cook -Kees -- Kees Cook Chrome OS Security