Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 6 Aug 2013 19:38:27 +0200
From: Oleg Nesterov <oleg@...hat.com>
To: security@...nel.org, oss-security@...ts.openwall.com,
        Petr Matousek <pmatouse@...hat.com>
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>,
        Andy Lutomirski <luto@...capital.net>,
        David Howells <dhowells@...hat.com>
Subject: [PATCH 0/1] (Was: CLONE_NEWUSER local DoS)

On 08/06, Oleg Nesterov wrote:
>
> On 08/06, Petr Matousek wrote:
> >
> > spender reported [1] a local DoS triggerable by unprivileged user when
> > user namespaces are enabled (CONFIG_USER_NS).
> >
> >   [1] https://twitter.com/grsecurity/status/364566062336978944

I see nothing related there, so the patch lacks Reported-by.

Who is reporter?

> > Reproducer:
> >
> > b836010000bb00000010cd80ebf2 is for(;;)unshare(1<<28);
>
> What happens? OOM?

Yes, this leaks the memory, the patch seems to fix the problem.

> I'll recheck, but at first glance this is simple, unshare_userns()
> populates new_cred which is not freed by bad_unshare_cleanup_fd
> if create_user_ns() fails. And create_user_ns() _should_ fail (iiuc)
> when CLONE_NEWUSER is called for the second time and later due to
> !kuid_has_mapping().
>
> I'll send the patch, but perhaps there is something else. Eric?

Eric, Andy, the patch looks trivial, but it would be nice if you
can ack/nack. I am sending it to lkml.

Oleg.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.