git.openpandora.org
/
pandora-kernel.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
ipcns: fix use after free in free_ipc_ns()
[pandora-kernel.git]
/
ipc
/
namespace.c
diff --git
a/ipc/namespace.c
b/ipc/namespace.c
index
a1094ff
..
8054c8e
100644
(file)
--- a/
ipc/namespace.c
+++ b/
ipc/namespace.c
@@
-11,10
+11,12
@@
#include <linux/slab.h>
#include <linux/fs.h>
#include <linux/mount.h>
#include <linux/slab.h>
#include <linux/fs.h>
#include <linux/mount.h>
+#include <linux/user_namespace.h>
#include "util.h"
#include "util.h"
-static struct ipc_namespace *create_ipc_ns(void)
+static struct ipc_namespace *create_ipc_ns(struct task_struct *tsk,
+ struct ipc_namespace *old_ns)
{
struct ipc_namespace *ns;
int err;
{
struct ipc_namespace *ns;
int err;
@@
-43,14
+45,19
@@
static struct ipc_namespace *create_ipc_ns(void)
ipcns_notify(IPCNS_CREATED);
register_ipcns_notifier(ns);
ipcns_notify(IPCNS_CREATED);
register_ipcns_notifier(ns);
+ ns->user_ns = get_user_ns(task_cred_xxx(tsk, user)->user_ns);
+
return ns;
}
return ns;
}
-struct ipc_namespace *copy_ipcs(unsigned long flags, struct ipc_namespace *ns)
+struct ipc_namespace *copy_ipcs(unsigned long flags,
+ struct task_struct *tsk)
{
{
+ struct ipc_namespace *ns = tsk->nsproxy->ipc_ns;
+
if (!(flags & CLONE_NEWIPC))
return get_ipc_ns(ns);
if (!(flags & CLONE_NEWIPC))
return get_ipc_ns(ns);
- return create_ipc_ns();
+ return create_ipc_ns(
tsk, ns
);
}
/*
}
/*
@@
-97,7
+104,6
@@
static void free_ipc_ns(struct ipc_namespace *ns)
sem_exit_ns(ns);
msg_exit_ns(ns);
shm_exit_ns(ns);
sem_exit_ns(ns);
msg_exit_ns(ns);
shm_exit_ns(ns);
- kfree(ns);
atomic_dec(&nr_ipc_ns);
/*
atomic_dec(&nr_ipc_ns);
/*
@@
-105,6
+111,8
@@
static void free_ipc_ns(struct ipc_namespace *ns)
* order to have a correct value when recomputing msgmni.
*/
ipcns_notify(IPCNS_REMOVED);
* order to have a correct value when recomputing msgmni.
*/
ipcns_notify(IPCNS_REMOVED);
+ put_user_ns(ns->user_ns);
+ kfree(ns);
}
/*
}
/*