• Eric W. Biederman's avatar
    userns: Kill task_user_ns · 4c44aaaf
    Eric W. Biederman authored
    The task_user_ns function hides the fact that it is getting the user
    namespace from struct cred on the task.  struct cred may go away as
    soon as the rcu lock is released.  This leads to a race where we
    can dereference a stale user namespace pointer.
    
    To make it obvious a struct cred is involved kill task_user_ns.
    
    To kill the race modify the users of task_user_ns to only
    reference the user namespace while the rcu lock is held.
    
    Cc: Kees Cook <keescook@chromium.org>
    Cc: James Morris <james.l.morris@oracle.com>
    Acked-by: default avatarKees Cook <keescook@chromium.org>
    Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
    Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    4c44aaaf
ptrace.c 26.5 KB