提交 626ac545 编写于 作者: S Serge E. Hallyn 提交者: Linus Torvalds

user namespace: fix copy_user_ns return value

When a CONFIG_USER_NS=n and a user tries to unshare some namespace other
than the user namespace, the dummy copy_user_ns returns NULL rather than
the old_ns.

This value then gets assigned to task->nsproxy->user_ns, so that a
subsequent setuid, which uses task->nsproxy->user_ns, causes a NULL
pointer deref.

Fix this by returning old_ns.
Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
上级 9550b105
......@@ -49,7 +49,7 @@ static inline struct user_namespace *copy_user_ns(int flags,
if (flags & CLONE_NEWUSER)
return ERR_PTR(-EINVAL);
return NULL;
return old_ns;
}
static inline void put_user_ns(struct user_namespace *ns)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册