| Message ID | 20230824110603.1266826-1-cengiz.can@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-1076 | expand |
On 24/08/2023 13:06, Cengiz Can wrote: > [Impact] > A flaw was found in the Linux Kernel. The tun/tap sockets have their socket > UID hardcoded to 0 due to a type confusion in their initialization function. > While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it > may not always be the case, e.g., a non-root user only having that capability. > This would make tun/tap sockets being incorrectly treated in filtering/routing > decisions, possibly bypassing network filters. > > [Fix] > Cherry picked from upstream. > > [Test case] > Compile, boot and basic tunctl functionality tested. > > [Potential regression] > CVE-2023-4194 is a followup for this so this has a high regression potential. > > Pietro Borrello (3): > net: add sock_init_data_uid() > tun: tun_chr_open(): correctly initialize socket uid > tap: tap_open(): correctly initialize socket uid > > drivers/net/tap.c | 2 +- > drivers/net/tun.c | 2 +- > include/net/sock.h | 7 ++++++- > net/core/sock.c | 15 ++++++++++++--- > 4 files changed, 20 insertions(+), 6 deletions(-) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 8/24/23 5:06 AM, Cengiz Can wrote: > [Impact] > A flaw was found in the Linux Kernel. The tun/tap sockets have their socket > UID hardcoded to 0 due to a type confusion in their initialization function. > While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it > may not always be the case, e.g., a non-root user only having that capability. > This would make tun/tap sockets being incorrectly treated in filtering/routing > decisions, possibly bypassing network filters. > > [Fix] > Cherry picked from upstream. > > [Test case] > Compile, boot and basic tunctl functionality tested. > > [Potential regression] > CVE-2023-4194 is a followup for this so this has a high regression potential. > > Pietro Borrello (3): > net: add sock_init_data_uid() > tun: tun_chr_open(): correctly initialize socket uid > tap: tap_open(): correctly initialize socket uid > > drivers/net/tap.c | 2 +- > drivers/net/tun.c | 2 +- > include/net/sock.h | 7 ++++++- > net/core/sock.c | 15 ++++++++++++--- > 4 files changed, 20 insertions(+), 6 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
Cengiz Can kirjoitti 24.8.2023 klo 14.06: > [Impact] > A flaw was found in the Linux Kernel. The tun/tap sockets have their socket > UID hardcoded to 0 due to a type confusion in their initialization function. > While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it > may not always be the case, e.g., a non-root user only having that capability. > This would make tun/tap sockets being incorrectly treated in filtering/routing > decisions, possibly bypassing network filters. > > [Fix] > Cherry picked from upstream. > > [Test case] > Compile, boot and basic tunctl functionality tested. > > [Potential regression] > CVE-2023-4194 is a followup for this so this has a high regression potential. > > Pietro Borrello (3): > net: add sock_init_data_uid() > tun: tun_chr_open(): correctly initialize socket uid > tap: tap_open(): correctly initialize socket uid > > drivers/net/tap.c | 2 +- > drivers/net/tun.c | 2 +- > include/net/sock.h | 7 ++++++- > net/core/sock.c | 15 ++++++++++++--- > 4 files changed, 20 insertions(+), 6 deletions(-) > applied to oem-6.0, thanks