From patchwork Thu Aug 24 11:06:01 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cengiz Can <cengiz.can@canonical.com>
X-Patchwork-Id: 1825318
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=Blxf/qpo;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RWgJ61GnCz1ygJ
	for <incoming@patchwork.ozlabs.org>; Thu, 24 Aug 2023 21:06:28 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qZ8AL-0006Pd-RZ; Thu, 24 Aug 2023 11:06:17 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <cengiz.can@canonical.com>) id 1qZ8AK-0006PS-MI
 for kernel-team@lists.ubuntu.com; Thu, 24 Aug 2023 11:06:16 +0000
Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com
 [209.85.218.71])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 5A3E63F0BA
 for <kernel-team@lists.ubuntu.com>; Thu, 24 Aug 2023 11:06:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1692875176;
 bh=comv+1HVt9DoicShUro/r68gMgJevGaI3vPsmNH6us8=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=Blxf/qpobmc2j6Hj7ErmPCFsC1kRj68BDrwwvPX+sgQOSRHJ9NawnyHQ66f1ND+Xh
 MiEK2aqH8aMxbi/tXx1QnPZSff22AMbLCSx7R3aSYjlS3rnB3Au8RttfrdzFG+ZjoY
 HmN9MZHP390dJYo+lnzoR0fefpKdsjmkZswX+V1EcPmf7JzzTYjMjLDyyafJDWhIgW
 tCba42DeAsI57yPUjT304/3xz3NTvKWwOz70npegZEw2tPrcIoYMYCFoLMCpmot/k4
 Xf9lOQXjyHQONKdYv7Zl0U8rmEJj+QUoZjFHRek+TR9Mhgtx1wkgiNYrxCh97MyYzT
 IT13xpL6/f9wA==
Received: by mail-ej1-f71.google.com with SMTP id
 a640c23a62f3a-9a2202c0a2bso26190366b.3
 for <kernel-team@lists.ubuntu.com>; Thu, 24 Aug 2023 04:06:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1692875175; x=1693479975;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=comv+1HVt9DoicShUro/r68gMgJevGaI3vPsmNH6us8=;
 b=YPP1IX4gF+aa2uf1dBm9G7/O9DVR7WUwFYyTVwkcXe0ZLzIGjFCUWwWWkldya5Ekp4
 xrvC5io+yEAmQhoh6FHRaC0bqJCi5hkx8Onm0tpmpg/+nDaGcvqAH/6y+2fApX+FUFrM
 JlKNPTzyjnG/7Cf4aSKoPSCxbrgJhR+e8Y7IcSdxqYfx5yK7rJsJRyLAqyX/JAD+9FKT
 fBs6FRrA/9hdCNpeaiB4Zs9Lf5rPmmvUQG0AEJkB6zQ+T5PKf4Lw3HRzCxEBLYvAs6Wb
 Fy9XgVfegCbnrEQu3JsIpB37bwj9PAQjJlPJMW43yca+YkaCoCOxOEsawWIW/AFoZgVA
 ZIzQ==
X-Gm-Message-State: AOJu0YzAQEWdzTsOxPmdQySQuXgiohGfSWlHOf++Du3OKC643uzaWomb
 +EyldoyTKpIXIM7JB2LZ5tqaaeGB6Td4i3kxRI1BW74gM9zxflikA68BTq3p+wI5Ki4Go+5e5My
 HnT55vkIMqnY4ZM4i7c+8MZFglPRo/AQDiGi31psMVmjTTtTzEOqO
X-Received: by 2002:a17:907:75f9:b0:9a2:1d09:4eee with SMTP id
 jz25-20020a17090775f900b009a21d094eeemr827526ejc.49.1692875175643;
 Thu, 24 Aug 2023 04:06:15 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IHDiRi/SWJdQiOwoHjYsqjdOGu+Pb/4B11JViG9Yh3h/8kvEMKQVgRdvtPEEt8UP5db0hQ25Q==
X-Received: by 2002:a17:907:75f9:b0:9a2:1d09:4eee with SMTP id
 jz25-20020a17090775f900b009a21d094eeemr827506ejc.49.1692875175239;
 Thu, 24 Aug 2023 04:06:15 -0700 (PDT)
Received: from localhost ([24.133.89.143]) by smtp.gmail.com with ESMTPSA id
 k16-20020a1709065fd000b0099c157cba46sm10696281ejv.119.2023.08.24.04.06.14
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 24 Aug 2023 04:06:15 -0700 (PDT)
From: Cengiz Can <cengiz.can@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU OEM-6.0 1/3] net: add sock_init_data_uid()
Date: Thu, 24 Aug 2023 14:06:01 +0300
Message-Id: <20230824110603.1266826-2-cengiz.can@canonical.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20230824110603.1266826-1-cengiz.can@canonical.com>
References: <20230824110603.1266826-1-cengiz.can@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Pietro Borrello <borrello@diag.uniroma1.it>

Add sock_init_data_uid() to explicitly initialize the socket uid.
To initialise the socket uid, sock_init_data() assumes a the struct
socket* sock is always embedded in a struct socket_alloc, used to
access the corresponding inode uid. This may not be true.
Examples are sockets created in tun_chr_open() and tap_open().

Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")
Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 584f3742890e966d2f0a1f3c418c9ead70b2d99e)
CVE-2023-1076
[cengizcan: prerequisite commit]
Signed-off-by: Cengiz Can <cengiz.can@canonical.com>
---
 include/net/sock.h |  7 ++++++-
 net/core/sock.c    | 15 ++++++++++++---
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/include/net/sock.h b/include/net/sock.h
index f6e6838c82df..8cb0b943d25e 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1934,7 +1934,12 @@ void sk_common_release(struct sock *sk);
  *	Default socket callbacks and setup code
  */
 
-/* Initialise core socket variables */
+/* Initialise core socket variables using an explicit uid. */
+void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid);
+
+/* Initialise core socket variables.
+ * Assumes struct socket *sock is embedded in a struct socket_alloc.
+ */
 void sock_init_data(struct socket *sock, struct sock *sk);
 
 /*
diff --git a/net/core/sock.c b/net/core/sock.c
index 9c05637663bf..bfada8fb3867 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3303,7 +3303,7 @@ void sk_stop_timer_sync(struct sock *sk, struct timer_list *timer)
 }
 EXPORT_SYMBOL(sk_stop_timer_sync);
 
-void sock_init_data(struct socket *sock, struct sock *sk)
+void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid)
 {
 	sk_init_common(sk);
 	sk->sk_send_head	=	NULL;
@@ -3322,11 +3322,10 @@ void sock_init_data(struct socket *sock, struct sock *sk)
 		sk->sk_type	=	sock->type;
 		RCU_INIT_POINTER(sk->sk_wq, &sock->wq);
 		sock->sk	=	sk;
-		sk->sk_uid	=	SOCK_INODE(sock)->i_uid;
 	} else {
 		RCU_INIT_POINTER(sk->sk_wq, NULL);
-		sk->sk_uid	=	make_kuid(sock_net(sk)->user_ns, 0);
 	}
+	sk->sk_uid	=	uid;
 
 	rwlock_init(&sk->sk_callback_lock);
 	if (sk->sk_kern_sock)
@@ -3385,6 +3384,16 @@ void sock_init_data(struct socket *sock, struct sock *sk)
 	refcount_set(&sk->sk_refcnt, 1);
 	atomic_set(&sk->sk_drops, 0);
 }
+EXPORT_SYMBOL(sock_init_data_uid);
+
+void sock_init_data(struct socket *sock, struct sock *sk)
+{
+	kuid_t uid = sock ?
+		SOCK_INODE(sock)->i_uid :
+		make_kuid(sock_net(sk)->user_ns, 0);
+
+	sock_init_data_uid(sock, sk, uid);
+}
 EXPORT_SYMBOL(sock_init_data);
 
 void lock_sock_nested(struct sock *sk, int subclass)