Message ID | 1376606877-22599-1-git-send-email-kamal@canonical.com |
---|---|
State | New |
Headers | show |
On 08/15, Kamal Mostafa wrote: > > commit 6160968cee8b90a5dd95318d716e31d7775c4ef3 upstream. > > unshare_userns(new_cred) does *new_cred = prepare_creds() before > create_user_ns() which can fail. However, the caller expects that > it doesn't need to take care of new_cred if unshare_userns() fails. I'd also suggest you to take the next commit, 8742f229b635b "userns: limit the maximum depth of user_namespace->parent chain". I forgot to cc -stable, sorry. As Andy pointed out unshare_userns() has problems even if succeeds. Oleg.
On Fri, 2013-08-16 at 13:59 +0200, Oleg Nesterov wrote: > On 08/15, Kamal Mostafa wrote: > > > > commit 6160968cee8b90a5dd95318d716e31d7775c4ef3 upstream. > > > > unshare_userns(new_cred) does *new_cred = prepare_creds() before > > create_user_ns() which can fail. However, the caller expects that > > it doesn't need to take care of new_cred if unshare_userns() fails. > > I'd also suggest you to take the next commit, 8742f229b635b > "userns: limit the maximum depth of user_namespace->parent chain". > I forgot to cc -stable, sorry. > > > As Andy pointed out unshare_userns() has problems even if succeeds. > > Oleg. Thanks very much, Oleg. I'll queue up 8742f229b635b as well. -Kamal
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index f359dc7..38ae0f5 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -105,16 +105,21 @@ int create_user_ns(struct cred *new) int unshare_userns(unsigned long unshare_flags, struct cred **new_cred) { struct cred *cred; + int err = -ENOMEM; if (!(unshare_flags & CLONE_NEWUSER)) return 0; cred = prepare_creds(); - if (!cred) - return -ENOMEM; + if (cred) { + err = create_user_ns(cred); + if (err) + put_cred(cred); + else + *new_cred = cred; + } - *new_cred = cred; - return create_user_ns(cred); + return err; } void free_user_ns(struct kref *kref)