From patchwork Thu Aug 24 11:06:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1825318 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=Blxf/qpo; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RWgJ61GnCz1ygJ for ; Thu, 24 Aug 2023 21:06:28 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qZ8AL-0006Pd-RZ; Thu, 24 Aug 2023 11:06:17 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qZ8AK-0006PS-MI for kernel-team@lists.ubuntu.com; Thu, 24 Aug 2023 11:06:16 +0000 Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 5A3E63F0BA for ; Thu, 24 Aug 2023 11:06:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1692875176; bh=comv+1HVt9DoicShUro/r68gMgJevGaI3vPsmNH6us8=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Blxf/qpobmc2j6Hj7ErmPCFsC1kRj68BDrwwvPX+sgQOSRHJ9NawnyHQ66f1ND+Xh MiEK2aqH8aMxbi/tXx1QnPZSff22AMbLCSx7R3aSYjlS3rnB3Au8RttfrdzFG+ZjoY HmN9MZHP390dJYo+lnzoR0fefpKdsjmkZswX+V1EcPmf7JzzTYjMjLDyyafJDWhIgW tCba42DeAsI57yPUjT304/3xz3NTvKWwOz70npegZEw2tPrcIoYMYCFoLMCpmot/k4 Xf9lOQXjyHQONKdYv7Zl0U8rmEJj+QUoZjFHRek+TR9Mhgtx1wkgiNYrxCh97MyYzT IT13xpL6/f9wA== Received: by mail-ej1-f71.google.com with SMTP id a640c23a62f3a-9a2202c0a2bso26190366b.3 for ; Thu, 24 Aug 2023 04:06:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692875175; x=1693479975; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=comv+1HVt9DoicShUro/r68gMgJevGaI3vPsmNH6us8=; b=YPP1IX4gF+aa2uf1dBm9G7/O9DVR7WUwFYyTVwkcXe0ZLzIGjFCUWwWWkldya5Ekp4 xrvC5io+yEAmQhoh6FHRaC0bqJCi5hkx8Onm0tpmpg/+nDaGcvqAH/6y+2fApX+FUFrM JlKNPTzyjnG/7Cf4aSKoPSCxbrgJhR+e8Y7IcSdxqYfx5yK7rJsJRyLAqyX/JAD+9FKT fBs6FRrA/9hdCNpeaiB4Zs9Lf5rPmmvUQG0AEJkB6zQ+T5PKf4Lw3HRzCxEBLYvAs6Wb Fy9XgVfegCbnrEQu3JsIpB37bwj9PAQjJlPJMW43yca+YkaCoCOxOEsawWIW/AFoZgVA ZIzQ== X-Gm-Message-State: AOJu0YzAQEWdzTsOxPmdQySQuXgiohGfSWlHOf++Du3OKC643uzaWomb +EyldoyTKpIXIM7JB2LZ5tqaaeGB6Td4i3kxRI1BW74gM9zxflikA68BTq3p+wI5Ki4Go+5e5My HnT55vkIMqnY4ZM4i7c+8MZFglPRo/AQDiGi31psMVmjTTtTzEOqO X-Received: by 2002:a17:907:75f9:b0:9a2:1d09:4eee with SMTP id jz25-20020a17090775f900b009a21d094eeemr827526ejc.49.1692875175643; Thu, 24 Aug 2023 04:06:15 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHDiRi/SWJdQiOwoHjYsqjdOGu+Pb/4B11JViG9Yh3h/8kvEMKQVgRdvtPEEt8UP5db0hQ25Q== X-Received: by 2002:a17:907:75f9:b0:9a2:1d09:4eee with SMTP id jz25-20020a17090775f900b009a21d094eeemr827506ejc.49.1692875175239; Thu, 24 Aug 2023 04:06:15 -0700 (PDT) Received: from localhost ([24.133.89.143]) by smtp.gmail.com with ESMTPSA id k16-20020a1709065fd000b0099c157cba46sm10696281ejv.119.2023.08.24.04.06.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Aug 2023 04:06:15 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU OEM-6.0 1/3] net: add sock_init_data_uid() Date: Thu, 24 Aug 2023 14:06:01 +0300 Message-Id: <20230824110603.1266826-2-cengiz.can@canonical.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230824110603.1266826-1-cengiz.can@canonical.com> References: <20230824110603.1266826-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pietro Borrello Add sock_init_data_uid() to explicitly initialize the socket uid. To initialise the socket uid, sock_init_data() assumes a the struct socket* sock is always embedded in a struct socket_alloc, used to access the corresponding inode uid. This may not be true. Examples are sockets created in tun_chr_open() and tap_open(). Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") Signed-off-by: Pietro Borrello Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller (cherry picked from commit 584f3742890e966d2f0a1f3c418c9ead70b2d99e) CVE-2023-1076 [cengizcan: prerequisite commit] Signed-off-by: Cengiz Can --- include/net/sock.h | 7 ++++++- net/core/sock.c | 15 ++++++++++++--- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/include/net/sock.h b/include/net/sock.h index f6e6838c82df..8cb0b943d25e 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -1934,7 +1934,12 @@ void sk_common_release(struct sock *sk); * Default socket callbacks and setup code */ -/* Initialise core socket variables */ +/* Initialise core socket variables using an explicit uid. */ +void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid); + +/* Initialise core socket variables. + * Assumes struct socket *sock is embedded in a struct socket_alloc. + */ void sock_init_data(struct socket *sock, struct sock *sk); /* diff --git a/net/core/sock.c b/net/core/sock.c index 9c05637663bf..bfada8fb3867 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -3303,7 +3303,7 @@ void sk_stop_timer_sync(struct sock *sk, struct timer_list *timer) } EXPORT_SYMBOL(sk_stop_timer_sync); -void sock_init_data(struct socket *sock, struct sock *sk) +void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid) { sk_init_common(sk); sk->sk_send_head = NULL; @@ -3322,11 +3322,10 @@ void sock_init_data(struct socket *sock, struct sock *sk) sk->sk_type = sock->type; RCU_INIT_POINTER(sk->sk_wq, &sock->wq); sock->sk = sk; - sk->sk_uid = SOCK_INODE(sock)->i_uid; } else { RCU_INIT_POINTER(sk->sk_wq, NULL); - sk->sk_uid = make_kuid(sock_net(sk)->user_ns, 0); } + sk->sk_uid = uid; rwlock_init(&sk->sk_callback_lock); if (sk->sk_kern_sock) @@ -3385,6 +3384,16 @@ void sock_init_data(struct socket *sock, struct sock *sk) refcount_set(&sk->sk_refcnt, 1); atomic_set(&sk->sk_drops, 0); } +EXPORT_SYMBOL(sock_init_data_uid); + +void sock_init_data(struct socket *sock, struct sock *sk) +{ + kuid_t uid = sock ? + SOCK_INODE(sock)->i_uid : + make_kuid(sock_net(sk)->user_ns, 0); + + sock_init_data_uid(sock, sk, uid); +} EXPORT_SYMBOL(sock_init_data); void lock_sock_nested(struct sock *sk, int subclass)