diff --git a/patches.suse/net-add-sock_init_data_uid.patch b/patches.suse/net-add-sock_init_data_uid.patch new file mode 100644 index 0000000..183d996 --- /dev/null +++ b/patches.suse/net-add-sock_init_data_uid.patch @@ -0,0 +1,84 @@ +From: Pietro Borrello +Date: Sat, 4 Feb 2023 17:39:20 +0000 +Subject: net: add sock_init_data_uid() +Git-commit: 584f3742890e966d2f0a1f3c418c9ead70b2d99e +Patch-mainline: v6.3-rc1 +References: CVE-2023-1076 bsc#1208599 + +Add sock_init_data_uid() to explicitly initialize the socket uid. +To initialise the socket uid, sock_init_data() assumes a the struct +socket* sock is always embedded in a struct socket_alloc, used to +access the corresponding inode uid. This may not be true. +Examples are sockets created in tun_chr_open() and tap_open(). + +Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") +Signed-off-by: Pietro Borrello +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Acked-by: Miroslav Franc +--- + include/net/sock.h | 7 ++++++- + net/core/sock.c | 15 ++++++++++++--- + 2 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 22d50dabdc9d..da758f2273e4 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1739,7 +1739,12 @@ void sk_common_release(struct sock *sk); + * Default socket callbacks and setup code + */ + +-/* Initialise core socket variables */ ++/* Initialise core socket variables using an explicit uid. */ ++void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid); ++ ++/* Initialise core socket variables. ++ * Assumes struct socket *sock is embedded in a struct socket_alloc. ++ */ + void sock_init_data(struct socket *sock, struct sock *sk); + + /* +diff --git a/net/core/sock.c b/net/core/sock.c +index 652913df588d..28382b23afe2 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2878,7 +2878,7 @@ void sk_stop_timer(struct sock *sk, struct timer_list* timer) + } + EXPORT_SYMBOL(sk_stop_timer); + +-void sock_init_data(struct socket *sock, struct sock *sk) ++void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid) + { + sk_init_common(sk); + sk->sk_send_head = NULL; +@@ -2897,11 +2897,10 @@ void sock_init_data(struct socket *sock, struct sock *sk) + sk->sk_type = sock->type; + RCU_INIT_POINTER(sk->sk_wq, &sock->wq); + sock->sk = sk; +- sk->sk_uid = SOCK_INODE(sock)->i_uid; + } else { + RCU_INIT_POINTER(sk->sk_wq, NULL); +- sk->sk_uid = make_kuid(sock_net(sk)->user_ns, 0); + } ++ sk->sk_uid = uid; + + rwlock_init(&sk->sk_callback_lock); + if (sk->sk_kern_sock) +@@ -2959,6 +2958,16 @@ void sock_init_data(struct socket *sock, struct sock *sk) + refcount_set(&sk->sk_refcnt, 1); + atomic_set(&sk->sk_drops, 0); + } ++EXPORT_SYMBOL(sock_init_data_uid); ++ ++void sock_init_data(struct socket *sock, struct sock *sk) ++{ ++ kuid_t uid = sock ? ++ SOCK_INODE(sock)->i_uid : ++ make_kuid(sock_net(sk)->user_ns, 0); ++ ++ sock_init_data_uid(sock, sk, uid); ++} + EXPORT_SYMBOL(sock_init_data); + + void lock_sock_nested(struct sock *sk, int subclass) diff --git a/series.conf b/series.conf index 1526dad..ac5d4a1 100644 --- a/series.conf +++ b/series.conf @@ -23066,6 +23066,7 @@ patches.suse/HID-check-empty-report_list-in-bigben_probe.patch patches.suse/HID-betop-check-shape-of-output-reports.patch patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch + patches.suse/net-add-sock_init_data_uid.patch patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch # netdev/net