Re: CVE request: pid namespace leak in kernel 3.0 and 3.1

["Eric W. Biederman" <ebiederm () xmission com>]

Eugene Teo <eugeneteo () kernel sg> wrote:

> On Fri, Apr 20, 2012 at 5:48 AM, Marcus Meissner <meissner () suse de>
> wrote:
> > we had a user, Vadim Ponomarev (ccrssaa at karelia.ru),  report a pid
> > namespace leak caused by vsftpd.
> >
> > https://bugzilla.novell.com/show_bug.cgi?id=757783
> >
> > He provided a simple reproducer:
> [...]
> > and checking "cat /proc/slabinfo|grep pid_namespace"
> > gives 10000 more active slots after running it on 3.0.13 (+SUSE
> patches) and 3.1.10 (+SUSE patches).
> > Running this on 3.2.0 (+SUSE Patches) did not result in more slots,
> so it was probably
> > fixed between 3.1 and 3.2 (but someone else cross check perhaps).
> >
> > Any idea welcome on which patch fixed this, I tried
> 1b26c9b334044cff6d1d2698f2be41bc7d9a0864
> > but it seems not helping.
>
> I tested this with 3.0.25-rt44.57.el6rt.x86_64 yesterday, and I was
> able to trigger the issue. The process needs to be privileged with
> CAP_SYS_ADMIN.
>
> Eric, besides struct pid_namespace, there is a corresponding struct
> pid_2 leak.

Hmm.

So we know what is holding the pid namespace reference.

Additional thoughts.

Does echo 3 > /proc/sys/vm/drop_caches clear up the issue?

Is there a corresponding task_struct leak?

Are the zombies getting reaped?

I don't have much of a clue or much concern as this seems fixed in later kernels but I am happy to suggest things to 
look for to help narrow this down.

Eric