| Message ID | 20230824110819.1268200-1-cengiz.can@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-4194 | expand |
On 24/08/2023 13:08, Cengiz Can wrote: > [Impact] > A flaw was found in the Linux kernel’s TUN/TAP functionality. This issue could > allow a local user to bypass network filters and gain unauthorized access to > some resources. The original patches fixing CVE-2023-1076 are incorrect or > incomplete. The problem is that the following upstream commits - a096ccca6e50 > (“tun: tun_chr_open(): correctly initialize socket uid”), - 66b2c338adce > (“tap: tap_open(): correctly initialize socket uid”), pass “inode->i_uid” to > sock_init_data_uid() as the last parameter and that turns out to not be > accurate. > > [Fix] > Cherry picked from upstream. > > [Test case] > Compile, boot and tunctl basic functionality tested. > > [Potential regression] > TUN/TAP users might be affected. However very unlikely. > > Laszlo Ersek (2): > net: tun_chr_open(): set sk_uid from current_fsuid() > net: tap_open(): set sk_uid from current_fsuid() > > drivers/net/tap.c | 2 +- > drivers/net/tun.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 8/24/23 5:08 AM, Cengiz Can wrote: > [Impact] > A flaw was found in the Linux kernel’s TUN/TAP functionality. This issue could > allow a local user to bypass network filters and gain unauthorized access to > some resources. The original patches fixing CVE-2023-1076 are incorrect or > incomplete. The problem is that the following upstream commits - a096ccca6e50 > (“tun: tun_chr_open(): correctly initialize socket uid”), - 66b2c338adce > (“tap: tap_open(): correctly initialize socket uid”), pass “inode->i_uid” to > sock_init_data_uid() as the last parameter and that turns out to not be > accurate. > > [Fix] > Cherry picked from upstream. > > [Test case] > Compile, boot and tunctl basic functionality tested. > > [Potential regression] > TUN/TAP users might be affected. However very unlikely. > > Laszlo Ersek (2): > net: tun_chr_open(): set sk_uid from current_fsuid() > net: tap_open(): set sk_uid from current_fsuid() > > drivers/net/tap.c | 2 +- > drivers/net/tun.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 24.08.23 13:08, Cengiz Can wrote: > [Impact] > A flaw was found in the Linux kernel’s TUN/TAP functionality. This issue could > allow a local user to bypass network filters and gain unauthorized access to > some resources. The original patches fixing CVE-2023-1076 are incorrect or > incomplete. The problem is that the following upstream commits - a096ccca6e50 > (“tun: tun_chr_open(): correctly initialize socket uid”), - 66b2c338adce > (“tap: tap_open(): correctly initialize socket uid”), pass “inode->i_uid” to > sock_init_data_uid() as the last parameter and that turns out to not be > accurate. > > [Fix] > Cherry picked from upstream. > > [Test case] > Compile, boot and tunctl basic functionality tested. > > [Potential regression] > TUN/TAP users might be affected. However very unlikely. > > Laszlo Ersek (2): > net: tun_chr_open(): set sk_uid from current_fsuid() > net: tap_open(): set sk_uid from current_fsuid() > > drivers/net/tap.c | 2 +- > drivers/net/tun.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > Applied to lunar,jammy,focal:linux/master-next and jammy:linux-hwe-5.19/hwe-5.19-next. Thanks. -Stefan
On 24.08.23 13:08, Cengiz Can wrote: > [Impact] > A flaw was found in the Linux kernel’s TUN/TAP functionality. This issue could > allow a local user to bypass network filters and gain unauthorized access to > some resources. The original patches fixing CVE-2023-1076 are incorrect or > incomplete. The problem is that the following upstream commits - a096ccca6e50 > (“tun: tun_chr_open(): correctly initialize socket uid”), - 66b2c338adce > (“tap: tap_open(): correctly initialize socket uid”), pass “inode->i_uid” to > sock_init_data_uid() as the last parameter and that turns out to not be > accurate. > > [Fix] > Cherry picked from upstream. > > [Test case] > Compile, boot and tunctl basic functionality tested. > > [Potential regression] > TUN/TAP users might be affected. However very unlikely. > > Laszlo Ersek (2): > net: tun_chr_open(): set sk_uid from current_fsuid() > net: tap_open(): set sk_uid from current_fsuid() > > drivers/net/tap.c | 2 +- > drivers/net/tun.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > Is this already in OEM-6.0?
Cengiz Can kirjoitti 24.8.2023 klo 14.08: > [Impact] > A flaw was found in the Linux kernel’s TUN/TAP functionality. This issue could > allow a local user to bypass network filters and gain unauthorized access to > some resources. The original patches fixing CVE-2023-1076 are incorrect or > incomplete. The problem is that the following upstream commits - a096ccca6e50 > (“tun: tun_chr_open(): correctly initialize socket uid”), - 66b2c338adce > (“tap: tap_open(): correctly initialize socket uid”), pass “inode->i_uid” to > sock_init_data_uid() as the last parameter and that turns out to not be > accurate. > > [Fix] > Cherry picked from upstream. > > [Test case] > Compile, boot and tunctl basic functionality tested. > > [Potential regression] > TUN/TAP users might be affected. However very unlikely. > > Laszlo Ersek (2): > net: tun_chr_open(): set sk_uid from current_fsuid() > net: tap_open(): set sk_uid from current_fsuid() > > drivers/net/tap.c | 2 +- > drivers/net/tun.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > applied to oem-6.0, thanks