[SRU,Focal:oem-5.6,0/1] CVE-2020-26088

Message ID	20200929113139.440184-1-cascardo@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU Focal:oem-5.6 0/1] CVE-2020-26088 Date: Tue, 29 Sep 2020 08:31:38 -0300 Message-Id: <20200929113139.440184-1-cascardo@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2020-26088 \| expand [SRU,Focal:oem-5.6,0/1] CVE-2020-26088 [SRU,Focal:oem-5.6,1/1] net/nfc/rawsock.c: add CAP_NET_RAW check.

Message ID

20200929113139.440184-1-cascardo@canonical.com

Headers

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU Focal:oem-5.6 0/1] CVE-2020-26088
Date: Tue, 29 Sep 2020 08:31:38 -0300
Message-Id: <20200929113139.440184-1-cascardo@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2020-26088 | expand

Message

Thadeu Lima de Souza Cascardo Sept. 29, 2020, 11:31 a.m. UTC

[Impact/Description]
 A missing CAP_NET_RAW check in NFC socket creation in net/nfc/rawsock.c in
 the Linux kernel before 5.8.2 could be used by local attackers to create
 raw sockets, bypassing security mechanisms, aka CID-26896f01467a.

[Test case]
I tried creating a socket(AF_NFC, SOCK_RAW, 0);.

It should fail with EPERM as an unprivileged user, that is, one without
CAP_NET_RAW. It should work as a privileged user.

The test passes (that is, socket returns EPERM) with the latest 5.4 kernel, it
fails with the latest oem-5.6 kernel, and passes with a oem-5.6 kernel with
this patch applied.

[Potential regression]
Userspace that relies on such behavior (creating RAW NFC sockets without
CAP_NET_RAW) will break.

Qingyu Li (1):
  net/nfc/rawsock.c: add CAP_NET_RAW check.

 net/nfc/rawsock.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Comments

Timo Aaltonen Oct. 6, 2020, 1:27 p.m. UTC | #1

On 29.9.2020 14.31, Thadeu Lima de Souza Cascardo wrote:
> [Impact/Description]
>   A missing CAP_NET_RAW check in NFC socket creation in net/nfc/rawsock.c in
>   the Linux kernel before 5.8.2 could be used by local attackers to create
>   raw sockets, bypassing security mechanisms, aka CID-26896f01467a.
> 
> [Test case]
> I tried creating a socket(AF_NFC, SOCK_RAW, 0);.
> 
> It should fail with EPERM as an unprivileged user, that is, one without
> CAP_NET_RAW. It should work as a privileged user.
> 
> The test passes (that is, socket returns EPERM) with the latest 5.4 kernel, it
> fails with the latest oem-5.6 kernel, and passes with a oem-5.6 kernel with
> this patch applied.
> 
> [Potential regression]
> Userspace that relies on such behavior (creating RAW NFC sockets without
> CAP_NET_RAW) will break.
> 
> Qingyu Li (1):
>    net/nfc/rawsock.c: add CAP_NET_RAW check.
> 
>   net/nfc/rawsock.c | 7 +++++--
>   1 file changed, 5 insertions(+), 2 deletions(-)
> 

applied to oem-5.6, thanks