From patchwork Thu Aug 24 11:08:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1825322 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=dvtFP0Db; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RWgLn5p9tz1yfF for ; Thu, 24 Aug 2023 21:08:49 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qZ8Cj-0007Hm-7T; Thu, 24 Aug 2023 11:08:45 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qZ8Cg-0007Gj-Va for kernel-team@lists.ubuntu.com; Thu, 24 Aug 2023 11:08:42 +0000 Received: from mail-lf1-f71.google.com (mail-lf1-f71.google.com [209.85.167.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 68BD73F0BA for ; Thu, 24 Aug 2023 11:08:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1692875322; bh=SILnVLn7OgHpKQnXPqSFo7sIl7+NObdtFfFXzqdyvoU=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=dvtFP0DbNgZ+M1V02ytB5+pmMALkZIxr75CTzJkHLlv507OS27zfLC+uwTNivLAuU php14bKl0W8+olb9N0yub7Y7SJu3a2bjiMpyO/Cj0MjOVE84OAjZ/4bqQUcADtCaW+ AiYKUqOmIrCXYOSq2htS+WuWt6c2iz6DWQXQ68OySx7eg3qy8m4OiqdUylRTxtPhxD /HT5OVCwp0UdxQJS4rbglWXYXDj6SSQWyhpy1/6CRMs0tT91qRNT0CI457aYTymv/h 8IvMS/rdccyX/KI5ffhJl7HxhQVxaAKNFzfIEdINFp/CYTrtlwCQIXhD1n1qTKpod0 ZFCHd+z5VeXMQ== Received: by mail-lf1-f71.google.com with SMTP id 2adb3069b0e04-4ff92d9f376so7038853e87.3 for ; Thu, 24 Aug 2023 04:08:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692875320; x=1693480120; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SILnVLn7OgHpKQnXPqSFo7sIl7+NObdtFfFXzqdyvoU=; b=fqJ5S/tZXYhchernwc/d1zBwt1PKhHJXB/Kowk6RtGKTm3t3JEBrHACbkY/r9Jpxup qynjG/efqQcyv7R4vcOqi9LVuKDCSv4IqP997LmIFaqSMOj8HS2eygx8r1xhn3qGj+7n vo77L4LzOhcaNfBe2ciXwRbBttgOBwmNn2H/+1sg5CcO9cJdBotzG7ZeU0JHzRWUtf5D p3bSctfjxvcAJgcmXGrs6gePFihvT98RXcFESvh6jr04t/PcuhVlm5DkyEfaqS3Sncg+ cPmoRxFptBmCu4Trkm4WzhskgtSH+dyrNzQvECDuTRhpiwdyiQjRZniCMtvk9bLqDqmA UP7Q== X-Gm-Message-State: AOJu0YwYwbbWqlbsBwwG+D/iVGMmYuCsxF4tivFUFCWcd0cAfdSUoSoM cmxT5H6HVcbfgw652KYzun8ImAH4M8Nwz209CfOBnL8jQxjf68eBw+POGIMMNb7cKWS4u5JV3UW loCZVXz5TM5mH2CtaKahGvgsyYM/Hmbu2HuFYihtNcZ+N8kA3hLGf X-Received: by 2002:a05:6512:b90:b0:500:7f91:fe2e with SMTP id b16-20020a0565120b9000b005007f91fe2emr12184142lfv.34.1692875320406; Thu, 24 Aug 2023 04:08:40 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG2SCsNSFdQ94Imgh67kgBqSMlait9DzeY+1bP0MnQhTiukl8ncLBAtNSlduP+JfRgE+W9bYg== X-Received: by 2002:a05:6512:b90:b0:500:7f91:fe2e with SMTP id b16-20020a0565120b9000b005007f91fe2emr12184126lfv.34.1692875320122; Thu, 24 Aug 2023 04:08:40 -0700 (PDT) Received: from localhost ([24.133.89.143]) by smtp.gmail.com with ESMTPSA id r20-20020aa7d154000000b0052a1a623267sm3848527edo.62.2023.08.24.04.08.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Aug 2023 04:08:39 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU Focal, Jammy, HWE-5.19, OEM-6.0, Lunar 1/2] net: tun_chr_open(): set sk_uid from current_fsuid() Date: Thu, 24 Aug 2023 14:08:20 +0300 Message-Id: <20230824110819.1268200-2-cengiz.can@canonical.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230824110819.1268200-1-cengiz.can@canonical.com> References: <20230824110819.1268200-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Laszlo Ersek Commit a096ccca6e50 initializes the "sk_uid" field in the protocol socket (struct sock) from the "/dev/net/tun" device node's owner UID. Per original commit 86741ec25462 ("net: core: Add a UID field to struct sock.", 2016-11-04), that's wrong: the idea is to cache the UID of the userspace process that creates the socket. Commit 86741ec25462 mentions socket() and accept(); with "tun", the action that creates the socket is open("/dev/net/tun"). Therefore the device node's owner UID is irrelevant. In most cases, "/dev/net/tun" will be owned by root, so in practice, commit a096ccca6e50 has no observable effect: - before, "sk_uid" would be zero, due to undefined behavior (CVE-2023-1076), - after, "sk_uid" would be zero, due to "/dev/net/tun" being owned by root. What matters is the (fs)UID of the process performing the open(), so cache that in "sk_uid". Cc: Eric Dumazet Cc: Lorenzo Colitti Cc: Paolo Abeni Cc: Pietro Borrello Cc: netdev@vger.kernel.org Cc: stable@vger.kernel.org Fixes: a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid") Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173435 Signed-off-by: Laszlo Ersek Signed-off-by: David S. Miller (cherry picked from commit 9bc3047374d5bec163e83e743709e23753376f0c) CVE-2023-4194 Signed-off-by: Cengiz Can --- drivers/net/tun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index a4e44f98fbc3..309a0dd16bdc 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -3534,7 +3534,7 @@ static int tun_chr_open(struct inode *inode, struct file * file) tfile->socket.file = file; tfile->socket.ops = &tun_socket_ops; - sock_init_data_uid(&tfile->socket, &tfile->sk, inode->i_uid); + sock_init_data_uid(&tfile->socket, &tfile->sk, current_fsuid()); tfile->sk.sk_write_space = tun_sock_write_space; tfile->sk.sk_sndbuf = INT_MAX; From patchwork Thu Aug 24 11:08:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1825323 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=KbsxbKIV; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RWgLw0xZTz1yfF for ; Thu, 24 Aug 2023 21:08:56 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qZ8Cp-0007ME-Hl; Thu, 24 Aug 2023 11:08:51 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qZ8Cn-0007LB-Lj for kernel-team@lists.ubuntu.com; Thu, 24 Aug 2023 11:08:49 +0000 Received: from mail-lf1-f69.google.com (mail-lf1-f69.google.com [209.85.167.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 7A0B33F533 for ; Thu, 24 Aug 2023 11:08:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1692875329; bh=R7VoWI9cPh0LXuqeAdR9dhK20pMBVuyTs8xffWtnnls=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=KbsxbKIVwQ0y7uyBH/Oia2FPxuIgpFtxCBuls7EM7G5iAfGSKW/aUSbcqF0NSbOTz jmumF0mUhaHpwMF8HhUOql2l5nC0Z4YDMn2pShGgaQWEKSdC4eRTZwd/QElfQSAYj7 5o7HHZcvFn/4vbQYuXpfzDcs/QpISfcuWHYDydlpInvfCvxm/xTP2bsfJEpmgckZSS +Co5JVsDqPObDOYcuW7hWTNCiXdlfSezRGkSqjd4eeFTi0GRWTUeRNtZw/VqAseJyC hqyZi3DYByI2bCcPbNBJ4IYXJH9Q7KTg+Xf5c5PzIiRBb1UbE1dVbc0ontxBGNwjrN uNHvMjL6r+N6A== Received: by mail-lf1-f69.google.com with SMTP id 2adb3069b0e04-4fe369ab20fso7039236e87.2 for ; Thu, 24 Aug 2023 04:08:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692875328; x=1693480128; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=R7VoWI9cPh0LXuqeAdR9dhK20pMBVuyTs8xffWtnnls=; b=hErIxn/6PBotVEeTuGGwZJUnT5DcEOAdylx61p3q6QYa4PpXQ33c01qmWwS+gJlxJZ HITZXNtK0zPEgGF2k30op8PJXznOfEVy2XM2Rcqe3jhTVPzlA0RpPLKU55axwjmug1Ma hl+dqkjW+S/HDtZ8SKw2LKbOF/mf/N89YNpGH1ttqqeDlUld705vtZ0l41LuWugy8oQq WCKOnjuA937J19KAfdNLUWSFjBxpndTmPIQFs1kR8RX1hJeZexnmHQHrcDupxX3VZAFI bv6lpILr3ThdO8vUpVnnAMSDMkhj9xaIhLN1OObYpud0PNhl3bbrKDKICWTNqr/ZTpjY ACfg== X-Gm-Message-State: AOJu0Yz4IU9xUJxFhi2ufY5ThpNEOAV8sMD7vefWXeK+IwbLGxEp7UwA 9FFarLsiYbpJWeCOluwANJ/kOhWk5qLuqiK8PKfinlySdkTB0kwyXvB3AhkSVqG1m/vkhRitoc7 eifraWCo9/8UurG1LlpHRef2YG7FR/5jhkYwLdr7r4avYTshiHsFM X-Received: by 2002:ac2:5a0a:0:b0:4fb:745e:dd01 with SMTP id q10-20020ac25a0a000000b004fb745edd01mr10158428lfn.45.1692875328693; Thu, 24 Aug 2023 04:08:48 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGeRmlf3g8HdvihqHNaT2X2KPT0sHDMJx4Nxc+qEsqd7b4CH04YWZIVzlm5kDzI6+wO48+PvQ== X-Received: by 2002:ac2:5a0a:0:b0:4fb:745e:dd01 with SMTP id q10-20020ac25a0a000000b004fb745edd01mr10158418lfn.45.1692875328228; Thu, 24 Aug 2023 04:08:48 -0700 (PDT) Received: from localhost ([24.133.89.143]) by smtp.gmail.com with ESMTPSA id y2-20020aa7d502000000b00529fb5fd3b9sm8640878edq.80.2023.08.24.04.08.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Aug 2023 04:08:48 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU Focal, Jammy, HWE-5.19, OEM-6.0, Lunar 2/2] net: tap_open(): set sk_uid from current_fsuid() Date: Thu, 24 Aug 2023 14:08:22 +0300 Message-Id: <20230824110819.1268200-3-cengiz.can@canonical.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230824110819.1268200-1-cengiz.can@canonical.com> References: <20230824110819.1268200-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Laszlo Ersek Commit 66b2c338adce initializes the "sk_uid" field in the protocol socket (struct sock) from the "/dev/tapX" device node's owner UID. Per original commit 86741ec25462 ("net: core: Add a UID field to struct sock.", 2016-11-04), that's wrong: the idea is to cache the UID of the userspace process that creates the socket. Commit 86741ec25462 mentions socket() and accept(); with "tap", the action that creates the socket is open("/dev/tapX"). Therefore the device node's owner UID is irrelevant. In most cases, "/dev/tapX" will be owned by root, so in practice, commit 66b2c338adce has no observable effect: - before, "sk_uid" would be zero, due to undefined behavior (CVE-2023-1076), - after, "sk_uid" would be zero, due to "/dev/tapX" being owned by root. What matters is the (fs)UID of the process performing the open(), so cache that in "sk_uid". Cc: Eric Dumazet Cc: Lorenzo Colitti Cc: Paolo Abeni Cc: Pietro Borrello Cc: netdev@vger.kernel.org Cc: stable@vger.kernel.org Fixes: 66b2c338adce ("tap: tap_open(): correctly initialize socket uid") Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173435 Signed-off-by: Laszlo Ersek Signed-off-by: David S. Miller (cherry picked from commit 5c9241f3ceab3257abe2923a59950db0dc8bb737) CVE-2023-4194 Signed-off-by: Cengiz Can --- drivers/net/tap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/tap.c b/drivers/net/tap.c index 574c17aa4b09..c299faaf4b2d 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -525,7 +525,7 @@ static int tap_open(struct inode *inode, struct file *file) q->sock.state = SS_CONNECTED; q->sock.file = file; q->sock.ops = &tap_socket_ops; - sock_init_data_uid(&q->sock, &q->sk, inode->i_uid); + sock_init_data_uid(&q->sock, &q->sk, current_fsuid()); q->sk.sk_write_space = tap_sock_write_space; q->sk.sk_destruct = tap_sock_destruct; q->flags = IFF_VNET_HDR | IFF_NO_PI | IFF_TAP;