kernel / kernel-source

Clone
Source Code
GIT

Blame patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   ad63314e05f842dbce85eb39bb8e91d551edf871
  2.   patches.suse
  3.   tun-tun_chr_open-correctly-initialize-socket-uid.patch
Blob History Raw
Miroslav Franc d8ba75 
From: Pietro Borrello <borrello@diag.uniroma1.it>
Miroslav Franc d8ba75 
Date: Sat, 4 Feb 2023 17:39:21 +0000
Miroslav Franc d8ba75 
Subject: tun: tun_chr_open(): correctly initialize socket uid
Miroslav Franc d8ba75 
Git-commit: a096ccca6e503a5c575717ff8a36ace27510ab0a
Miroslav Franc d8ba75 
Patch-mainline: v6.3-rc1
Miroslav Franc d8ba75 
References: CVE-2023-1076 bsc#1208599
Miroslav Franc d8ba75
Miroslav Franc d8ba75 
sock_init_data() assumes that the `struct socket` passed in input is
Miroslav Franc d8ba75 
contained in a `struct socket_alloc` allocated with sock_alloc().
Miroslav Franc d8ba75 
However, tun_chr_open() passes a `struct socket` embedded in a `struct
Miroslav Franc d8ba75 
tun_file` allocated with sk_alloc().
Miroslav Franc d8ba75 
This causes a type confusion when issuing a container_of() with
Miroslav Franc d8ba75 
SOCK_INODE() in sock_init_data() which results in assigning a wrong
Miroslav Franc d8ba75 
sk_uid to the `struct sock` in input.
Miroslav Franc d8ba75 
On default configuration, the type confused field overlaps with the
Miroslav Franc d8ba75 
high 4 bytes of `struct tun_struct __rcu *tun` of `struct tun_file`,
Miroslav Franc d8ba75 
NULL at the time of call, which makes the uid of all tun sockets 0,
Miroslav Franc d8ba75 
i.e., the root one.
Miroslav Franc d8ba75 
Fix the assignment by using sock_init_data_uid().
Miroslav Franc d8ba75
Miroslav Franc d8ba75 
Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")
Miroslav Franc d8ba75 
Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
Miroslav Franc d8ba75 
Reviewed-by: Eric Dumazet <edumazet@google.com>
Miroslav Franc d8ba75 
Signed-off-by: David S. Miller <davem@davemloft.net>
Miroslav Franc d8ba75 
Acked-by: Miroslav Franc <mfranc@suse.cz>
Miroslav Franc d8ba75 
---
Miroslav Franc d8ba75 
 drivers/net/tun.c | 2 +-
Miroslav Franc d8ba75 
 1 file changed, 1 insertion(+), 1 deletion(-)
Miroslav Franc d8ba75
Miroslav Franc d8ba75 
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
Miroslav Franc d8ba75 
index a7d17c680f4a..745131b2d6db 100644
Miroslav Franc d8ba75 
--- a/drivers/net/tun.c
Miroslav Franc d8ba75 
+++ b/drivers/net/tun.c
Miroslav Franc d8ba75 
@@ -3448,7 +3448,7 @@ static int tun_chr_open(struct inode *inode, struct file * file)
Miroslav Franc d8ba75 
 	tfile->socket.file = file;
Miroslav Franc d8ba75 
 	tfile->socket.ops = &tun_socket_ops;
Miroslav Franc d8ba75
Miroslav Franc d8ba75 
-	sock_init_data(&tfile->socket, &tfile->sk);
Miroslav Franc d8ba75 
+	sock_init_data_uid(&tfile->socket, &tfile->sk, inode->i_uid);
Miroslav Franc d8ba75
Miroslav Franc d8ba75 
 	tfile->sk.sk_write_space = tun_sock_write_space;
Miroslav Franc d8ba75 
 	tfile->sk.sk_sndbuf = INT_MAX;
Miroslav Franc d8ba75
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.