Home page logo

oss-sec logo oss-sec mailing list archives

[PATCH 0/1] (Was: CLONE_NEWUSER local DoS)
From: Oleg Nesterov <oleg () redhat com>
Date: Tue, 6 Aug 2013 19:38:27 +0200

On 08/06, Oleg Nesterov wrote:

On 08/06, Petr Matousek wrote:

spender reported [1] a local DoS triggerable by unprivileged user when
user namespaces are enabled (CONFIG_USER_NS).

  [1] https://twitter.com/grsecurity/status/364566062336978944

I see nothing related there, so the patch lacks Reported-by.

Who is reporter?


b836010000bb00000010cd80ebf2 is for(;;)unshare(1<<28);

What happens? OOM?

Yes, this leaks the memory, the patch seems to fix the problem.

I'll recheck, but at first glance this is simple, unshare_userns()
populates new_cred which is not freed by bad_unshare_cleanup_fd
if create_user_ns() fails. And create_user_ns() _should_ fail (iiuc)
when CLONE_NEWUSER is called for the second time and later due to

I'll send the patch, but perhaps there is something else. Eric?

Eric, Andy, the patch looks trivial, but it would be nice if you
can ack/nack. I am sending it to lkml.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]