net: tap_open(): set sk_uid from current_fsuid()
mainline inclusion from mainline-v6.5-rc3 commit 5c9241f3ceab3257abe2923a59950db0dc8bb737 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7QXHX CVE: CVE-2023-4194 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5c9241f3ceab3257abe2923a59950db0dc8bb737 --------------------------- Commit 66b2c338 initializes the "sk_uid" field in the protocol socket (struct sock) from the "/dev/tapX" device node's owner UID. Per original commit 86741ec2 ("net: core: Add a UID field to struct sock.", 2016-11-04), that's wrong: the idea is to cache the UID of the userspace process that creates the socket. Commit 86741ec2 mentions socket() and accept(); with "tap", the action that creates the socket is open("/dev/tapX"). Therefore the device node's owner UID is irrelevant. In most cases, "/dev/tapX" will be owned by root, so in practice, commit 66b2c338 has no observable effect: - before, "sk_uid" would be zero, due to undefined behavior (CVE-2023-1076), - after, "sk_uid" would be zero, due to "/dev/tapX" being owned by root. What matters is the (fs)UID of the process performing the open(), so cache that in "sk_uid". Cc: Eric Dumazet <edumazet@google.com> Cc: Lorenzo Colitti <lorenzo@google.com> Cc: Paolo Abeni <pabeni@redhat.com> Cc: Pietro Borrello <borrello@diag.uniroma1.it> Cc: netdev@vger.kernel.org Cc: stable@vger.kernel.org Fixes: 66b2c338 ("tap: tap_open(): correctly initialize socket uid") Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173435Signed-off-by: NLaszlo Ersek <lersek@redhat.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NDong Chenchen <dongchenchen2@huawei.com>
Showing
想要评论请 注册 或 登录