From: Pietro Borrello <borrello@diag.uniroma1.it>

Date: Sat, 4 Feb 2023 17:39:20 +0000

Subject: net: add sock_init_data_uid()

Git-commit: 584f3742890e966d2f0a1f3c418c9ead70b2d99e

Patch-mainline: v6.3-rc1

References: CVE-2023-1076 bsc#1208599

Add sock_init_data_uid() to explicitly initialize the socket uid.

To initialise the socket uid, sock_init_data() assumes a the struct

socket* sock is always embedded in a struct socket_alloc, used to

access the corresponding inode uid. This may not be true.

Examples are sockets created in tun_chr_open() and tap_open().

Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")

Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>

Reviewed-by: Eric Dumazet <edumazet@google.com>

Signed-off-by: David S. Miller <davem@davemloft.net>

Acked-by: Miroslav Franc <mfranc@suse.cz>

---

 include/net/sock.h |  7 ++++++-

 net/core/sock.c    | 15 ++++++++++++---

 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/include/net/sock.h b/include/net/sock.h

index 22d50dabdc9d..da758f2273e4 100644

--- a/include/net/sock.h

+++ b/include/net/sock.h

@@ -1739,7 +1739,12 @@ void sk_common_release(struct sock *sk);

  *	Default socket callbacks and setup code

  */

-/* Initialise core socket variables */

+/* Initialise core socket variables using an explicit uid. */

+void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid);

+

+/* Initialise core socket variables.

+ * Assumes struct socket *sock is embedded in a struct socket_alloc.

+ */

 void sock_init_data(struct socket *sock, struct sock *sk);

 /*

diff --git a/net/core/sock.c b/net/core/sock.c

index 652913df588d..28382b23afe2 100644

--- a/net/core/sock.c

+++ b/net/core/sock.c

@@ -2878,7 +2878,7 @@ void sk_stop_timer(struct sock *sk, struct timer_list* timer)

 }

 EXPORT_SYMBOL(sk_stop_timer);

-void sock_init_data(struct socket *sock, struct sock *sk)

+void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid)

 {

 	sk_init_common(sk);

 	sk->sk_send_head	=	NULL;

@@ -2897,11 +2897,10 @@ void sock_init_data(struct socket *sock, struct sock *sk)

 		sk->sk_type	=	sock->type;

 		RCU_INIT_POINTER(sk->sk_wq, &sock->wq);

 		sock->sk	=	sk;

-		sk->sk_uid	=	SOCK_INODE(sock)->i_uid;

 	} else {

 		RCU_INIT_POINTER(sk->sk_wq, NULL);

-		sk->sk_uid	=	make_kuid(sock_net(sk)->user_ns, 0);

 	}

+	sk->sk_uid	=	uid;

 	rwlock_init(&sk->sk_callback_lock);

 	if (sk->sk_kern_sock)

@@ -2959,6 +2958,16 @@ void sock_init_data(struct socket *sock, struct sock *sk)

 	refcount_set(&sk->sk_refcnt, 1);

 	atomic_set(&sk->sk_drops, 0);

 }

+EXPORT_SYMBOL(sock_init_data_uid);

+

+void sock_init_data(struct socket *sock, struct sock *sk)

+{

+	kuid_t uid = sock ?

+		SOCK_INODE(sock)->i_uid :

+		make_kuid(sock_net(sk)->user_ns, 0);

+

+	sock_init_data_uid(sock, sk, uid);

+}

 EXPORT_SYMBOL(sock_init_data);

 void lock_sock_nested(struct sock *sk, int subclass)