| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Feb 2013 23:03:33 -0800 From: ebiederm@...ssion.com (Eric W. Biederman) To: Dave Jones <davej@...hat.com> Cc: Linux Kernel <linux-kernel@...r.kernel.org>, dhowells@...hat.com, "Serge E. Hallyn" <serge@...lyn.com> Subject: Re: commit_creds oops Dave Jones <davej@...hat.com> writes: > On Thu, Feb 28, 2013 at 04:25:40PM -0800, Eric W. Biederman wrote: > > > > [ 89.639850] RIP: 0010:[<ffffffff810784b0>] [<ffffffff810784b0>] commit_creds+0x250/0x2f0 > > > [ 89.658399] Call Trace: > > > [ 89.658822] [<ffffffff812c7d9b>] key_change_session_keyring+0xfb/0x140 > > > [ 89.659845] [<ffffffff8106c665>] task_work_run+0xa5/0xd0 > > > [ 89.660698] [<ffffffff81002911>] do_notify_resume+0x71/0xb0 > > > [ 89.661581] [<ffffffff816c9a4a>] int_signal+0x12/0x17 > > > > > > Appears to be.. > > > > > > if ((set_ns == subset_ns->parent) && > > > 850: 48 8b 8a c8 00 00 00 mov 0xc8(%rdx),%rcx > > > > > > from the inlined cred_cap_issubset > > > > Interesting. That line is protected with the check subset_ns != > > &init_user_ns so subset_ns->parent must be valid or subset_ns is not > > a proper user namespace. > > > > Ugh. I think I see what is going on and it is just silly. > > > > It looks like by historical accident we have been reading trying to set > > new->user_ns from new->user_ns. Which is totally silly as new->user_ns > > is NULL (as is every other field in new except session_keyring at that > > point). > > > > It looks like it is safe to sleep in key_change_session_keyring so why > > we just don't use prepare_creds there like everywhere else is beyond > > me. > > > > The intent is clearly to copy all of the fields from old to new so what > > we should be doing is is copying old->user_ns into new->user_ns. > > > > Dave can you verify that this patch fixes the oops? > > Looks like it. Haven't hit the same thing since applying your patch. > > I noticed though that get_user_ns bumps a refcount. Is this what we > want if we're just copying ? Yes. commit_creds(new) winds up finding old on the current process and calling put_cred(old). put_cred when the count drops to zero winds up calling put_cred_rcu which calls put_user_ns(old->user_ns); For the same reason we need an extra count on the user namespace new so that when it eventually is put and put_user_ns(new->user_ns) is called we don't have a negative count. Which is a long of way of saying yes we are adding another reference and we need to increase the reference count. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists