Description of problem: The 2.6.35.11 stable kernel has a credentials leak in it due to one of the following patches: cab9e9848b9a8283b0504a2d7c435a9f5ba026de scm: Capture the full credentials of the scm sender. 76319701efb717e4a159f4cdb159646c6862e6a0 af_unix: Allow credentials to work across user and pid namespaces. 7d77e1c063cba215c6217e0fca3bbd4f53ec7f4d user_ns: Introduce user_nsmap_uid and user_ns_map_gid. afa01a2cc021a5f03f02364bb867af3114395304 sock: Introduce cred_to_ucred Only the fourth patch is confirmed bad by bisection; the other three patches don't build. The patch preceding all of those is good. Version-Release number of selected component (if applicable): kernel-2.6.35.11-83.fc14.x86_64 How reproducible: 100% Steps to Reproduce: Run the following script: #!/bin/bash for ((i=0; i<100; i++)) do su - -c /bin/true #cut -d: -f1 /proc/slabinfo | grep 'cred\|key\|task_struct' cat /proc/keys | wc -l done Note the number of keys going up and up. If the kernel is built with SLAB rather than SLUB, the outstanding cred count is huge and increases rapidly rather than staying roughly constant. The bug does not appear to be in the upstream head or F-15 kernels.
After rearranging the four patches mentioned in the opening comment, I've isolated it to the patch ensubjected: scm: Capture the full credentials of the scm sender.
The following commit from Linus's kernel is needed in 2.6.35.11 to fix this bug: commit b47030c71dfd6c8cd5cb6e551b6f7f7cfc96f6a6 Author: Eric W. Biederman <ebiederm> Date: Sun Jun 13 03:31:06 2010 +0000 af_netlink: Add needed scm_destroy after scm_send. scm_send occasionally allocates state in the scm_cookie, so I have modified netlink_sendmsg to guarantee that when scm_send succeeds scm_destory will be called to free that state. Signed-off-by: Eric W. Biederman <ebiederm> Reviewed-by: Daniel Lezcano <daniel.lezcano> Acked-by: Pavel Emelyanov <xemul> Signed-off-by: David S. Miller <davem>
*** Bug 682324 has been marked as a duplicate of this bug. ***
Two different fixes for this were added in 2.6.35.12: http://git.kernel.org/?p=linux/kernel/git/longterm/linux-2.6.35.y.git;a=commitdiff;h=48e6b121605512d87f8da1ccd014313489c19630 http://git.kernel.org/?p=linux/kernel/git/longterm/linux-2.6.35.y.git;a=commitdiff;h=04d450668aa58e6202916ad870cdfc73621dee26
kernel-2.6.35.12-90.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/kernel-2.6.35.12-90.fc14
Package kernel-2.6.35.12-90.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing kernel-2.6.35.12-90.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/kernel-2.6.35.12-90.fc14 then log in and leave karma (feedback).
kernel-2.6.35.12-90.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.