From patchwork Thu Aug 24 11:06:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1825318 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=Blxf/qpo; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RWgJ61GnCz1ygJ for ; Thu, 24 Aug 2023 21:06:28 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qZ8AL-0006Pd-RZ; Thu, 24 Aug 2023 11:06:17 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qZ8AK-0006PS-MI for kernel-team@lists.ubuntu.com; Thu, 24 Aug 2023 11:06:16 +0000 Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 5A3E63F0BA for ; Thu, 24 Aug 2023 11:06:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1692875176; bh=comv+1HVt9DoicShUro/r68gMgJevGaI3vPsmNH6us8=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Blxf/qpobmc2j6Hj7ErmPCFsC1kRj68BDrwwvPX+sgQOSRHJ9NawnyHQ66f1ND+Xh MiEK2aqH8aMxbi/tXx1QnPZSff22AMbLCSx7R3aSYjlS3rnB3Au8RttfrdzFG+ZjoY HmN9MZHP390dJYo+lnzoR0fefpKdsjmkZswX+V1EcPmf7JzzTYjMjLDyyafJDWhIgW tCba42DeAsI57yPUjT304/3xz3NTvKWwOz70npegZEw2tPrcIoYMYCFoLMCpmot/k4 Xf9lOQXjyHQONKdYv7Zl0U8rmEJj+QUoZjFHRek+TR9Mhgtx1wkgiNYrxCh97MyYzT IT13xpL6/f9wA== Received: by mail-ej1-f71.google.com with SMTP id a640c23a62f3a-9a2202c0a2bso26190366b.3 for ; Thu, 24 Aug 2023 04:06:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692875175; x=1693479975; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=comv+1HVt9DoicShUro/r68gMgJevGaI3vPsmNH6us8=; b=YPP1IX4gF+aa2uf1dBm9G7/O9DVR7WUwFYyTVwkcXe0ZLzIGjFCUWwWWkldya5Ekp4 xrvC5io+yEAmQhoh6FHRaC0bqJCi5hkx8Onm0tpmpg/+nDaGcvqAH/6y+2fApX+FUFrM JlKNPTzyjnG/7Cf4aSKoPSCxbrgJhR+e8Y7IcSdxqYfx5yK7rJsJRyLAqyX/JAD+9FKT fBs6FRrA/9hdCNpeaiB4Zs9Lf5rPmmvUQG0AEJkB6zQ+T5PKf4Lw3HRzCxEBLYvAs6Wb Fy9XgVfegCbnrEQu3JsIpB37bwj9PAQjJlPJMW43yca+YkaCoCOxOEsawWIW/AFoZgVA ZIzQ== X-Gm-Message-State: AOJu0YzAQEWdzTsOxPmdQySQuXgiohGfSWlHOf++Du3OKC643uzaWomb +EyldoyTKpIXIM7JB2LZ5tqaaeGB6Td4i3kxRI1BW74gM9zxflikA68BTq3p+wI5Ki4Go+5e5My HnT55vkIMqnY4ZM4i7c+8MZFglPRo/AQDiGi31psMVmjTTtTzEOqO X-Received: by 2002:a17:907:75f9:b0:9a2:1d09:4eee with SMTP id jz25-20020a17090775f900b009a21d094eeemr827526ejc.49.1692875175643; Thu, 24 Aug 2023 04:06:15 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHDiRi/SWJdQiOwoHjYsqjdOGu+Pb/4B11JViG9Yh3h/8kvEMKQVgRdvtPEEt8UP5db0hQ25Q== X-Received: by 2002:a17:907:75f9:b0:9a2:1d09:4eee with SMTP id jz25-20020a17090775f900b009a21d094eeemr827506ejc.49.1692875175239; Thu, 24 Aug 2023 04:06:15 -0700 (PDT) Received: from localhost ([24.133.89.143]) by smtp.gmail.com with ESMTPSA id k16-20020a1709065fd000b0099c157cba46sm10696281ejv.119.2023.08.24.04.06.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Aug 2023 04:06:15 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU OEM-6.0 1/3] net: add sock_init_data_uid() Date: Thu, 24 Aug 2023 14:06:01 +0300 Message-Id: <20230824110603.1266826-2-cengiz.can@canonical.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230824110603.1266826-1-cengiz.can@canonical.com> References: <20230824110603.1266826-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pietro Borrello Add sock_init_data_uid() to explicitly initialize the socket uid. To initialise the socket uid, sock_init_data() assumes a the struct socket* sock is always embedded in a struct socket_alloc, used to access the corresponding inode uid. This may not be true. Examples are sockets created in tun_chr_open() and tap_open(). Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") Signed-off-by: Pietro Borrello Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller (cherry picked from commit 584f3742890e966d2f0a1f3c418c9ead70b2d99e) CVE-2023-1076 [cengizcan: prerequisite commit] Signed-off-by: Cengiz Can --- include/net/sock.h | 7 ++++++- net/core/sock.c | 15 ++++++++++++--- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/include/net/sock.h b/include/net/sock.h index f6e6838c82df..8cb0b943d25e 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -1934,7 +1934,12 @@ void sk_common_release(struct sock *sk); * Default socket callbacks and setup code */ -/* Initialise core socket variables */ +/* Initialise core socket variables using an explicit uid. */ +void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid); + +/* Initialise core socket variables. + * Assumes struct socket *sock is embedded in a struct socket_alloc. + */ void sock_init_data(struct socket *sock, struct sock *sk); /* diff --git a/net/core/sock.c b/net/core/sock.c index 9c05637663bf..bfada8fb3867 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -3303,7 +3303,7 @@ void sk_stop_timer_sync(struct sock *sk, struct timer_list *timer) } EXPORT_SYMBOL(sk_stop_timer_sync); -void sock_init_data(struct socket *sock, struct sock *sk) +void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid) { sk_init_common(sk); sk->sk_send_head = NULL; @@ -3322,11 +3322,10 @@ void sock_init_data(struct socket *sock, struct sock *sk) sk->sk_type = sock->type; RCU_INIT_POINTER(sk->sk_wq, &sock->wq); sock->sk = sk; - sk->sk_uid = SOCK_INODE(sock)->i_uid; } else { RCU_INIT_POINTER(sk->sk_wq, NULL); - sk->sk_uid = make_kuid(sock_net(sk)->user_ns, 0); } + sk->sk_uid = uid; rwlock_init(&sk->sk_callback_lock); if (sk->sk_kern_sock) @@ -3385,6 +3384,16 @@ void sock_init_data(struct socket *sock, struct sock *sk) refcount_set(&sk->sk_refcnt, 1); atomic_set(&sk->sk_drops, 0); } +EXPORT_SYMBOL(sock_init_data_uid); + +void sock_init_data(struct socket *sock, struct sock *sk) +{ + kuid_t uid = sock ? + SOCK_INODE(sock)->i_uid : + make_kuid(sock_net(sk)->user_ns, 0); + + sock_init_data_uid(sock, sk, uid); +} EXPORT_SYMBOL(sock_init_data); void lock_sock_nested(struct sock *sk, int subclass) From patchwork Thu Aug 24 11:06:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1825317 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=lSp3bse3; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RWgJ61JvFz1yh2 for ; Thu, 24 Aug 2023 21:06:28 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qZ8AP-0006Q5-2F; Thu, 24 Aug 2023 11:06:21 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qZ8AN-0006Pu-D9 for kernel-team@lists.ubuntu.com; Thu, 24 Aug 2023 11:06:19 +0000 Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com [209.85.218.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 3E1583F533 for ; Thu, 24 Aug 2023 11:06:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1692875179; bh=kudPyBnGuOTxxQ2hqQFHrkmHeCYQ/mKbV0xF6CiWfWc=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=lSp3bse3usf3N6882DBjcOgLNVkPMNi4fNJeGcP3fNOf5tbELs/qsT5ZCaB3Nmqtu uGeNQy6KuVu6bR1Vq8GoOsANYiZuO397zgEMxPDlUIYWDiHP8bNvljYuIREAplhQTF rsiJ75JnPYcMThRDFB1t31I1qR7CxPldkz0mikvBLvr2NPOmvGejVm7tb7YaDOKIBH oXHB1AunUJhJMIX5COOtkfbzyJa3JpKlO5xGt239jy2dUroUf4kj3KhErwRw24G2rJ v1piFvCG/ta3UjiDXp2q2E/oUSXvG2xvkku0TLIrudgp0pIdjlivNQReFyjDJdLHuu XCCHtLBT+QPqA== Received: by mail-ej1-f72.google.com with SMTP id a640c23a62f3a-94a355cf318so502409566b.2 for ; Thu, 24 Aug 2023 04:06:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692875178; x=1693479978; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kudPyBnGuOTxxQ2hqQFHrkmHeCYQ/mKbV0xF6CiWfWc=; b=C4LDzZWSG6wPuNxPpSRBDKdVgerfXn/8FjcZIdCAD7KrkZKGSxtUIrnyd+1n8YU/wj qX2qxZll3pG6B0WjsF/0iUyvxDGOHS6eG/E4jb+w6perCnqVvr7io/EqeNhsVNQtXgJZ Ru9TUo1QlPhgPbn6Yu2jqI4ASAaRWK2BMpRvdndpY8uWZh9cwmZl8+c9epSDdV4p4gWT CeDPcahJgfy+Qrw7WAuCy3TVTOlO4tyyxPWSNMyXJ89PBMl3zVWOzFJAGNIakJKgoDQy DOLpNxIAdZesRr+zN8on9Lr7oVzW95z+kWTWf9C6OJJ2CFEJSKLkk34/3OJecMcqUDuI n6Ww== X-Gm-Message-State: AOJu0YwFMOfhM8PmZ7N63M2d4a5jZ3cr2C1YHMvDs1OhLiW5v2ZYBg+5 1KbsdMaWBoF7Ybsts2pwCd/nGoLbnomSbmufE+RN6BHUXTLJejrqATkpYh0cD3MtCcBfZkDnVEL RMdRXgwctE/6C+KhRucUHH+SdAuyq0++fPvsw9omGI830uWiHD6J0 X-Received: by 2002:a17:906:8a50:b0:9a1:fab3:ee43 with SMTP id gx16-20020a1709068a5000b009a1fab3ee43mr1949107ejc.0.1692875178598; Thu, 24 Aug 2023 04:06:18 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFSvFUKGqwfr7JS+jY13CfwgbNJ5Or8zrovhvZacsuIcCtyPd98/Hrz4s0FJdrRIqzNUtZmvA== X-Received: by 2002:a17:906:8a50:b0:9a1:fab3:ee43 with SMTP id gx16-20020a1709068a5000b009a1fab3ee43mr1949098ejc.0.1692875178375; Thu, 24 Aug 2023 04:06:18 -0700 (PDT) Received: from localhost ([24.133.89.143]) by smtp.gmail.com with ESMTPSA id v15-20020a170906564f00b0099cbe71f3b5sm10757161ejr.0.2023.08.24.04.06.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Aug 2023 04:06:18 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU OEM-6.0 2/3] tun: tun_chr_open(): correctly initialize socket uid Date: Thu, 24 Aug 2023 14:06:02 +0300 Message-Id: <20230824110603.1266826-3-cengiz.can@canonical.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230824110603.1266826-1-cengiz.can@canonical.com> References: <20230824110603.1266826-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pietro Borrello sock_init_data() assumes that the `struct socket` passed in input is contained in a `struct socket_alloc` allocated with sock_alloc(). However, tun_chr_open() passes a `struct socket` embedded in a `struct tun_file` allocated with sk_alloc(). This causes a type confusion when issuing a container_of() with SOCK_INODE() in sock_init_data() which results in assigning a wrong sk_uid to the `struct sock` in input. On default configuration, the type confused field overlaps with the high 4 bytes of `struct tun_struct __rcu *tun` of `struct tun_file`, NULL at the time of call, which makes the uid of all tun sockets 0, i.e., the root one. Fix the assignment by using sock_init_data_uid(). Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") Signed-off-by: Pietro Borrello Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller (cherry picked from commit a096ccca6e503a5c575717ff8a36ace27510ab0a) CVE-2023-1076 Signed-off-by: Cengiz Can --- drivers/net/tun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 3387074a2bdb..7fd539387e80 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -3447,7 +3447,7 @@ static int tun_chr_open(struct inode *inode, struct file * file) tfile->socket.file = file; tfile->socket.ops = &tun_socket_ops; - sock_init_data(&tfile->socket, &tfile->sk); + sock_init_data_uid(&tfile->socket, &tfile->sk, inode->i_uid); tfile->sk.sk_write_space = tun_sock_write_space; tfile->sk.sk_sndbuf = INT_MAX; From patchwork Thu Aug 24 11:06:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1825320 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=Ceq2KXQ0; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RWgJ70kmgz1yh3 for ; Thu, 24 Aug 2023 21:06:30 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qZ8AT-0006T6-9N; Thu, 24 Aug 2023 11:06:25 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qZ8AR-0006Rn-4D for kernel-team@lists.ubuntu.com; Thu, 24 Aug 2023 11:06:23 +0000 Received: from mail-ej1-f69.google.com (mail-ej1-f69.google.com [209.85.218.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id DB79D3F0BA for ; Thu, 24 Aug 2023 11:06:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1692875182; bh=DBJZc8Tm8Nk2f4slS1qZk7oMRbvx4lAU4GOOSAcGCOU=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Ceq2KXQ0RwTS5MLg2yaqjZBUV8lL79+yj3PaJqhPaAc+bV0QCvos2597IsKytM4dD n67qYTogIaxtJRbINXrY4ZGNDprJSm4hRrehV+VshiyTqSqgeNG7g8zhi7cMrlZt7S o+tehYcmzYdF4720o5a/+0SYv3Q+Os3N5kfMA0RbM4WNMy4VcJ+M8JiaDXjTwEI8Lr ZSzBUcF4fb8aigPjSZcAUKGfid8aBOKDZ+m2Gi/9Qyhv/aIc/q+k5lZzEEodkYe4cZ gulnmC843OeLivmJdSMP/9FvdVBjXX/tg2415sx8RR2voLy3WEkLqMj4KPSLKXm5K/ oZWwhEgKsDAPQ== Received: by mail-ej1-f69.google.com with SMTP id a640c23a62f3a-993d41cbc31so473964666b.1 for ; Thu, 24 Aug 2023 04:06:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692875182; x=1693479982; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DBJZc8Tm8Nk2f4slS1qZk7oMRbvx4lAU4GOOSAcGCOU=; b=QLusIwplmsCdFE/7TZaG2X7+VA+JIoYWAJjp7/mYFgRsqX/yp3M11YHpmKb9iByMqM Ub4dtQCjU+mnf4E6J3JAurCLAM/yO0U1JAjM2ub+7BrsPt+ZBQkNPrHAVOQoxm4p+RzM RgggkE/Ltx7XGUZtsDE2zBbBjVwL189vdgktzjNY9dJ/BRCbE8TbNLq6ewZgGuEBLmYm MvAXAIhRdW/YANTVyjIWXV1mSUgoG9X+kyT2Q3yICpFFskp9yZGCBBEP6bbKN496V2Yw oVrs/OJuO+bha5u67ZN66ZahZQD2dfG0uAN/FFnVaTGVJ8v3ehpnbpNKQ8ixZrXcYB6B aolA== X-Gm-Message-State: AOJu0YxEeuURkUIhRxjXPtac4gHQG4mWBWaV6vklj0uDdxQ/w4+WfTKE XMTgoSuaFr8rhqEa5h1faE/Ej7OToOBePjqjr88QhJdowl/iHlgOs4TQ1Pu4oanWpzRMvaTo6U2 nbiztOThe6AP32/JLLDr3CsindxzzW+Ku0EHk9IWEfjVYcR5+P+nl X-Received: by 2002:a17:906:31d4:b0:9a1:b33a:e468 with SMTP id f20-20020a17090631d400b009a1b33ae468mr6449289ejf.49.1692875181784; Thu, 24 Aug 2023 04:06:21 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHtNKuY84JGeR3M30uwZvKoDgOHEaWAF7N12KJW5iHeglTU5xA49/EdGmd2Jaf7OhLwMCsxkA== X-Received: by 2002:a17:906:31d4:b0:9a1:b33a:e468 with SMTP id f20-20020a17090631d400b009a1b33ae468mr6449279ejf.49.1692875181554; Thu, 24 Aug 2023 04:06:21 -0700 (PDT) Received: from localhost ([24.133.89.143]) by smtp.gmail.com with ESMTPSA id kf18-20020a17090776d200b0098748422178sm10753498ejc.56.2023.08.24.04.06.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Aug 2023 04:06:21 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU OEM-6.0 3/3] tap: tap_open(): correctly initialize socket uid Date: Thu, 24 Aug 2023 14:06:03 +0300 Message-Id: <20230824110603.1266826-4-cengiz.can@canonical.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230824110603.1266826-1-cengiz.can@canonical.com> References: <20230824110603.1266826-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pietro Borrello sock_init_data() assumes that the `struct socket` passed in input is contained in a `struct socket_alloc` allocated with sock_alloc(). However, tap_open() passes a `struct socket` embedded in a `struct tap_queue` allocated with sk_alloc(). This causes a type confusion when issuing a container_of() with SOCK_INODE() in sock_init_data() which results in assigning a wrong sk_uid to the `struct sock` in input. On default configuration, the type confused field overlaps with padding bytes between `int vnet_hdr_sz` and `struct tap_dev __rcu *tap` in `struct tap_queue`, which makes the uid of all tap sockets 0, i.e., the root one. Fix the assignment by using sock_init_data_uid(). Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") Signed-off-by: Pietro Borrello Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller (cherry picked from commit 66b2c338adce580dfce2199591e65e2bab889cff) CVE-2023-1076 Signed-off-by: Cengiz Can --- drivers/net/tap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/tap.c b/drivers/net/tap.c index 9e75ed3f08ce..760d8d1b6cba 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -533,7 +533,7 @@ static int tap_open(struct inode *inode, struct file *file) q->sock.state = SS_CONNECTED; q->sock.file = file; q->sock.ops = &tap_socket_ops; - sock_init_data(&q->sock, &q->sk); + sock_init_data_uid(&q->sock, &q->sk, inode->i_uid); q->sk.sk_write_space = tap_sock_write_space; q->sk.sk_destruct = tap_sock_destruct; q->flags = IFF_VNET_HDR | IFF_NO_PI | IFF_TAP;