Home page logo
/

oss-sec logo oss-sec mailing list archives

[PATCH 0/1] (Was: CLONE_NEWUSER local DoS)
From: Oleg Nesterov <oleg () redhat com>
Date: Tue, 6 Aug 2013 19:38:27 +0200

On 08/06, Oleg Nesterov wrote:

On 08/06, Petr Matousek wrote:

spender reported [1] a local DoS triggerable by unprivileged user when
user namespaces are enabled (CONFIG_USER_NS).

  [1] https://twitter.com/grsecurity/status/364566062336978944

I see nothing related there, so the patch lacks Reported-by.

Who is reporter?

Reproducer:

b836010000bb00000010cd80ebf2 is for(;;)unshare(1<<28);

What happens? OOM?

Yes, this leaks the memory, the patch seems to fix the problem.

I'll recheck, but at first glance this is simple, unshare_userns()
populates new_cred which is not freed by bad_unshare_cleanup_fd
if create_user_ns() fails. And create_user_ns() _should_ fail (iiuc)
when CLONE_NEWUSER is called for the second time and later due to
!kuid_has_mapping().

I'll send the patch, but perhaps there is something else. Eric?

Eric, Andy, the patch looks trivial, but it would be nice if you
can ack/nack. I am sending it to lkml.

Oleg.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]