From patchwork Thu Aug 24 11:08:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1825321 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=LvaT3kvX; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RWgLY6Q1jz1yfF for ; Thu, 24 Aug 2023 21:08:37 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qZ8CW-0007DT-Vx; Thu, 24 Aug 2023 11:08:32 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qZ8CV-0007DM-Ji for kernel-team@lists.ubuntu.com; Thu, 24 Aug 2023 11:08:31 +0000 Received: from mail-ej1-f69.google.com (mail-ej1-f69.google.com [209.85.218.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id E4F553F0BA for ; Thu, 24 Aug 2023 11:08:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1692875309; bh=oDpoySSdHeujd7QZB/STR/rvtsGeUzxUY0PWOPD+vAU=; h=From:To:Subject:Date:Message-Id:MIME-Version:Content-Type; b=LvaT3kvXymE7S6NKWj6lAi+NuhzeXnkot7UofYSasx9POCj6gJYUqoVvuLUSf7xjZ W7X8J7XaVGjlFt39QKJEPUSdZXqhsxPfOWTwFsjF/MTkIxuCWfvj3g4anixh9sJ9DM oJSkUJ0qBEl5YbdgTb2B5jrCeJrX7x3zSIacD7h3rXHs/2jda9G0Rhyb0u678W7Vai 4Ir6xXCjU41Qfzhr4uKbqoBdE3NTz+lgBXENdZuVbMiGYOZqyUDAKDG1DvW6YoQqkP eOqauLDz9CLpyOi55tH7Uc/p4VF4oOntIjaUhSBU7ZbcJoU40toeUNzCedWseJeCnU 8m1unuIhOLhDQ== Received: by mail-ej1-f69.google.com with SMTP id a640c23a62f3a-94a355cf318so502519066b.2 for ; Thu, 24 Aug 2023 04:08:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692875309; x=1693480109; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=oDpoySSdHeujd7QZB/STR/rvtsGeUzxUY0PWOPD+vAU=; b=EJTfEfp2P6Tx5jbdW3/3bQo9oaPmVaZzMnV2TVV7b+BpWEI8LRav+9j8XpnuFZQkCd 6Gy6z+t+eKZ/8vM/GjFBcoqm+OKfXBg08+H4bb7LrCJlTwyxZtiC+N4CIWLbukqz5Zm8 28SVV193o8WdsJit5FeeooQkb/9ipFMNtFeK2S0O4UWsfoHBpy9hK6rJJ/d//Fk8vIcs hkSJnnnZFk6GszpWC6w1Fnluu/PSc3K3R+zjqBseLDVnm3Kar2SIs0ck/X7lLFXI11vL 6qhChuFQX0Lkduj71EELKP8JJ8E6CrDpkXW6NFynsSj1KMAEmvdnPJQrP0aWjwhphWeQ F8UQ== X-Gm-Message-State: AOJu0YyQEx7vIOC5xaLumZhL/0EBjC00F+yEzHJF/wm1p4oogpDa0u92 kfU8bOsSmf53RiL+8NgQfSVsEq7iF8LOBpgy4YEnAb+rQeZ4ffsRI23kyMF8A5BLT8LQxvqNL1u utpTanrp1LUeSzH2E7CcPfgnjqpVeZQAq0b9TmF45KLob00YATDgG X-Received: by 2002:a17:906:10db:b0:9a1:bcac:8174 with SMTP id v27-20020a17090610db00b009a1bcac8174mr5678621ejv.37.1692875309423; Thu, 24 Aug 2023 04:08:29 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHDO526gidjSq/pRNmtFeRPFhgKG1+VNdMxpEMO7EXK/WWlDjJQL6ut4+9qE1ezwgz3qYcnlg== X-Received: by 2002:a17:906:10db:b0:9a1:bcac:8174 with SMTP id v27-20020a17090610db00b009a1bcac8174mr5678599ejv.37.1692875309020; Thu, 24 Aug 2023 04:08:29 -0700 (PDT) Received: from localhost ([24.133.89.143]) by smtp.gmail.com with ESMTPSA id a8-20020a17090640c800b009a0955a7ad0sm10371955ejk.128.2023.08.24.04.08.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Aug 2023 04:08:28 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU Focal, Jammy, HWE-5.19, OEM-6.0, Lunar 0/2] CVE-2023-4194 Date: Thu, 24 Aug 2023 14:08:18 +0300 Message-Id: <20230824110819.1268200-1-cengiz.can@canonical.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] A flaw was found in the Linux kernel’s TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 (“tun: tun_chr_open(): correctly initialize socket uid”), - 66b2c338adce (“tap: tap_open(): correctly initialize socket uid”), pass “inode->i_uid” to sock_init_data_uid() as the last parameter and that turns out to not be accurate. [Fix] Cherry picked from upstream. [Test case] Compile, boot and tunctl basic functionality tested. [Potential regression] TUN/TAP users might be affected. However very unlikely. Laszlo Ersek (2): net: tun_chr_open(): set sk_uid from current_fsuid() net: tap_open(): set sk_uid from current_fsuid() drivers/net/tap.c | 2 +- drivers/net/tun.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) Acked-by: Roxana Nicolescu Acked-by: Tim Gardner