Message ID | 20200929113139.440184-2-cascardo@canonical.com |
---|---|
State | New |
Headers | show |
Series | CVE-2020-26088 | expand |
On 29.09.20 13:31, Thadeu Lima de Souza Cascardo wrote: > From: Qingyu Li <ieatmuttonchuan@gmail.com> > > When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first. > > Signed-off-by: Qingyu Li <ieatmuttonchuan@gmail.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit 26896f01467a28651f7a536143fe5ac8449d4041) > CVE-2020-26088 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > net/nfc/rawsock.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c > index ba5ffd3badd3..b5c867fe3232 100644 > --- a/net/nfc/rawsock.c > +++ b/net/nfc/rawsock.c > @@ -332,10 +332,13 @@ static int rawsock_create(struct net *net, struct socket *sock, > if ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW)) > return -ESOCKTNOSUPPORT; > > - if (sock->type == SOCK_RAW) > + if (sock->type == SOCK_RAW) { > + if (!capable(CAP_NET_RAW)) > + return -EPERM; > sock->ops = &rawsock_raw_ops; > - else > + } else { > sock->ops = &rawsock_ops; > + } > > sk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern); > if (!sk) >
Acked-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com> On Tue, Sep 29, 2020 at 08:31:39AM -0300, Thadeu Lima de Souza Cascardo wrote: > From: Qingyu Li <ieatmuttonchuan@gmail.com> > > When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first. > > Signed-off-by: Qingyu Li <ieatmuttonchuan@gmail.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit 26896f01467a28651f7a536143fe5ac8449d4041) > CVE-2020-26088 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > net/nfc/rawsock.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c > index ba5ffd3badd3..b5c867fe3232 100644 > --- a/net/nfc/rawsock.c > +++ b/net/nfc/rawsock.c > @@ -332,10 +332,13 @@ static int rawsock_create(struct net *net, struct socket *sock, > if ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW)) > return -ESOCKTNOSUPPORT; > > - if (sock->type == SOCK_RAW) > + if (sock->type == SOCK_RAW) { > + if (!capable(CAP_NET_RAW)) > + return -EPERM; > sock->ops = &rawsock_raw_ops; > - else > + } else { > sock->ops = &rawsock_ops; > + } > > sk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern); > if (!sk) > -- > 2.25.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
This patch was applied in the following patchset: UBUNTU: upstream stable to v5.4.59 BugLink: https://bugs.launchpad.net/bugs/1892417 Thanks! Ian On 2020-09-29 08:31:39 , Thadeu Lima de Souza Cascardo wrote: > From: Qingyu Li <ieatmuttonchuan@gmail.com> > > When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first. > > Signed-off-by: Qingyu Li <ieatmuttonchuan@gmail.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit 26896f01467a28651f7a536143fe5ac8449d4041) > CVE-2020-26088 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > net/nfc/rawsock.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c > index ba5ffd3badd3..b5c867fe3232 100644 > --- a/net/nfc/rawsock.c > +++ b/net/nfc/rawsock.c > @@ -332,10 +332,13 @@ static int rawsock_create(struct net *net, struct socket *sock, > if ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW)) > return -ESOCKTNOSUPPORT; > > - if (sock->type == SOCK_RAW) > + if (sock->type == SOCK_RAW) { > + if (!capable(CAP_NET_RAW)) > + return -EPERM; > sock->ops = &rawsock_raw_ops; > - else > + } else { > sock->ops = &rawsock_ops; > + } > > sk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern); > if (!sk) > -- > 2.25.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
Hi Ian, Please note that this patch was requested for focal/linux-oem-5.6 and not for focal/linux. Cascardo likely noticed that this was already queued for a focal/linux upstream stable update and hasn't explicitly requested its inclusion. Kleber On 03.10.20 00:50, Ian May wrote: > This patch was applied in the following patchset: > > UBUNTU: upstream stable to v5.4.59 > BugLink: https://bugs.launchpad.net/bugs/1892417 > > Thanks! > Ian > > On 2020-09-29 08:31:39 , Thadeu Lima de Souza Cascardo wrote: >> From: Qingyu Li <ieatmuttonchuan@gmail.com> >> >> When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first. >> >> Signed-off-by: Qingyu Li <ieatmuttonchuan@gmail.com> >> Signed-off-by: David S. Miller <davem@davemloft.net> >> (cherry picked from commit 26896f01467a28651f7a536143fe5ac8449d4041) >> CVE-2020-26088 >> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> >> --- >> net/nfc/rawsock.c | 7 +++++-- >> 1 file changed, 5 insertions(+), 2 deletions(-) >> >> diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c >> index ba5ffd3badd3..b5c867fe3232 100644 >> --- a/net/nfc/rawsock.c >> +++ b/net/nfc/rawsock.c >> @@ -332,10 +332,13 @@ static int rawsock_create(struct net *net, struct socket *sock, >> if ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW)) >> return -ESOCKTNOSUPPORT; >> >> - if (sock->type == SOCK_RAW) >> + if (sock->type == SOCK_RAW) { >> + if (!capable(CAP_NET_RAW)) >> + return -EPERM; >> sock->ops = &rawsock_raw_ops; >> - else >> + } else { >> sock->ops = &rawsock_ops; >> + } >> >> sk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern); >> if (!sk) >> -- >> 2.25.1 >> >> >> -- >> kernel-team mailing list >> kernel-team@lists.ubuntu.com >> https://lists.ubuntu.com/mailman/listinfo/kernel-team >
On Tue, Oct 06, 2020 at 09:50:56AM +0200, Kleber Souza wrote: > Hi Ian, > > Please note that this patch was requested for focal/linux-oem-5.6 and > not for focal/linux. Cascardo likely noticed that this was already > queued for a focal/linux upstream stable update and hasn't explicitly > requested its inclusion. > > > Kleber > Yes, that was the case. The triager told me that it was pending on focal/linux, but needed on focal/linux-oem-5.6. The stable updates are really useful, they usually bring up lots of CVE fixes. Sometimes, they are wrong, as have recently happened, and sometimes we have bugs to track, hence my suggestion recently that we discuss how to deal with cases like when the stable updates trump our own backports. Cascardo. > On 03.10.20 00:50, Ian May wrote: > > This patch was applied in the following patchset: > > > > UBUNTU: upstream stable to v5.4.59 > > BugLink: https://bugs.launchpad.net/bugs/1892417 > > > > Thanks! > > Ian > > > > On 2020-09-29 08:31:39 , Thadeu Lima de Souza Cascardo wrote: > >> From: Qingyu Li <ieatmuttonchuan@gmail.com> > >> > >> When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first. > >> > >> Signed-off-by: Qingyu Li <ieatmuttonchuan@gmail.com> > >> Signed-off-by: David S. Miller <davem@davemloft.net> > >> (cherry picked from commit 26896f01467a28651f7a536143fe5ac8449d4041) > >> CVE-2020-26088 > >> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > >> --- > >> net/nfc/rawsock.c | 7 +++++-- > >> 1 file changed, 5 insertions(+), 2 deletions(-) > >> > >> diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c > >> index ba5ffd3badd3..b5c867fe3232 100644 > >> --- a/net/nfc/rawsock.c > >> +++ b/net/nfc/rawsock.c > >> @@ -332,10 +332,13 @@ static int rawsock_create(struct net *net, struct socket *sock, > >> if ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW)) > >> return -ESOCKTNOSUPPORT; > >> > >> - if (sock->type == SOCK_RAW) > >> + if (sock->type == SOCK_RAW) { > >> + if (!capable(CAP_NET_RAW)) > >> + return -EPERM; > >> sock->ops = &rawsock_raw_ops; > >> - else > >> + } else { > >> sock->ops = &rawsock_ops; > >> + } > >> > >> sk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern); > >> if (!sk) > >> -- > >> 2.25.1 > >> > >> > >> -- > >> kernel-team mailing list > >> kernel-team@lists.ubuntu.com > >> https://lists.ubuntu.com/mailman/listinfo/kernel-team > > >
My bad! I do see how I interpreted that wrong. Makes sense and thanks for the clarification. Ian On Tue, Oct 6, 2020 at 3:03 AM Thadeu Lima de Souza Cascardo < cascardo@canonical.com> wrote: > On Tue, Oct 06, 2020 at 09:50:56AM +0200, Kleber Souza wrote: > > Hi Ian, > > > > Please note that this patch was requested for focal/linux-oem-5.6 and > > not for focal/linux. Cascardo likely noticed that this was already > > queued for a focal/linux upstream stable update and hasn't explicitly > > requested its inclusion. > > > > > > Kleber > > > > Yes, that was the case. The triager told me that it was pending on > focal/linux, > but needed on focal/linux-oem-5.6. > > The stable updates are really useful, they usually bring up lots of CVE > fixes. > Sometimes, they are wrong, as have recently happened, and sometimes we have > bugs to track, hence my suggestion recently that we discuss how to deal > with > cases like when the stable updates trump our own backports. > > Cascardo. > > > On 03.10.20 00:50, Ian May wrote: > > > This patch was applied in the following patchset: > > > > > > UBUNTU: upstream stable to v5.4.59 > > > BugLink: https://bugs.launchpad.net/bugs/1892417 > > > > > > Thanks! > > > Ian > > > > > > On 2020-09-29 08:31:39 , Thadeu Lima de Souza Cascardo wrote: > > >> From: Qingyu Li <ieatmuttonchuan@gmail.com> > > >> > > >> When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked > first. > > >> > > >> Signed-off-by: Qingyu Li <ieatmuttonchuan@gmail.com> > > >> Signed-off-by: David S. Miller <davem@davemloft.net> > > >> (cherry picked from commit 26896f01467a28651f7a536143fe5ac8449d4041) > > >> CVE-2020-26088 > > >> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > > >> --- > > >> net/nfc/rawsock.c | 7 +++++-- > > >> 1 file changed, 5 insertions(+), 2 deletions(-) > > >> > > >> diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c > > >> index ba5ffd3badd3..b5c867fe3232 100644 > > >> --- a/net/nfc/rawsock.c > > >> +++ b/net/nfc/rawsock.c > > >> @@ -332,10 +332,13 @@ static int rawsock_create(struct net *net, > struct socket *sock, > > >> if ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW)) > > >> return -ESOCKTNOSUPPORT; > > >> > > >> - if (sock->type == SOCK_RAW) > > >> + if (sock->type == SOCK_RAW) { > > >> + if (!capable(CAP_NET_RAW)) > > >> + return -EPERM; > > >> sock->ops = &rawsock_raw_ops; > > >> - else > > >> + } else { > > >> sock->ops = &rawsock_ops; > > >> + } > > >> > > >> sk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern); > > >> if (!sk) > > >> -- > > >> 2.25.1 > > >> > > >> > > >> -- > > >> kernel-team mailing list > > >> kernel-team@lists.ubuntu.com > > >> https://lists.ubuntu.com/mailman/listinfo/kernel-team > > > > > >
diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c index ba5ffd3badd3..b5c867fe3232 100644 --- a/net/nfc/rawsock.c +++ b/net/nfc/rawsock.c @@ -332,10 +332,13 @@ static int rawsock_create(struct net *net, struct socket *sock, if ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW)) return -ESOCKTNOSUPPORT; - if (sock->type == SOCK_RAW) + if (sock->type == SOCK_RAW) { + if (!capable(CAP_NET_RAW)) + return -EPERM; sock->ops = &rawsock_raw_ops; - else + } else { sock->ops = &rawsock_ops; + } sk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern); if (!sk)