Message ID | 20200929113139.440184-1-cascardo@canonical.com |
---|---|
Headers | show |
Series | CVE-2020-26088 | expand |
On 29.9.2020 14.31, Thadeu Lima de Souza Cascardo wrote: > [Impact/Description] > A missing CAP_NET_RAW check in NFC socket creation in net/nfc/rawsock.c in > the Linux kernel before 5.8.2 could be used by local attackers to create > raw sockets, bypassing security mechanisms, aka CID-26896f01467a. > > [Test case] > I tried creating a socket(AF_NFC, SOCK_RAW, 0);. > > It should fail with EPERM as an unprivileged user, that is, one without > CAP_NET_RAW. It should work as a privileged user. > > The test passes (that is, socket returns EPERM) with the latest 5.4 kernel, it > fails with the latest oem-5.6 kernel, and passes with a oem-5.6 kernel with > this patch applied. > > [Potential regression] > Userspace that relies on such behavior (creating RAW NFC sockets without > CAP_NET_RAW) will break. > > Qingyu Li (1): > net/nfc/rawsock.c: add CAP_NET_RAW check. > > net/nfc/rawsock.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > applied to oem-5.6, thanks