net: tun_chr_open(): set sk_uid from current_fsuid()
mainline inclusion from mainline-v6.5-rc3 commit 9bc3047374d5bec163e83e743709e23753376f0c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7QXHX CVE: CVE-2023-4194 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9bc3047374d5bec163e83e743709e23753376f0c --------------------------- Commit a096ccca initializes the "sk_uid" field in the protocol socket (struct sock) from the "/dev/net/tun" device node's owner UID. Per original commit 86741ec2 ("net: core: Add a UID field to struct sock.", 2016-11-04), that's wrong: the idea is to cache the UID of the userspace process that creates the socket. Commit 86741ec2 mentions socket() and accept(); with "tun", the action that creates the socket is open("/dev/net/tun"). Therefore the device node's owner UID is irrelevant. In most cases, "/dev/net/tun" will be owned by root, so in practice, commit a096ccca has no observable effect: - before, "sk_uid" would be zero, due to undefined behavior (CVE-2023-1076), - after, "sk_uid" would be zero, due to "/dev/net/tun" being owned by root. What matters is the (fs)UID of the process performing the open(), so cache that in "sk_uid". Cc: Eric Dumazet <edumazet@google.com> Cc: Lorenzo Colitti <lorenzo@google.com> Cc: Paolo Abeni <pabeni@redhat.com> Cc: Pietro Borrello <borrello@diag.uniroma1.it> Cc: netdev@vger.kernel.org Cc: stable@vger.kernel.org Fixes: a096ccca ("tun: tun_chr_open(): correctly initialize socket uid") Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173435Signed-off-by: NLaszlo Ersek <lersek@redhat.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NDong Chenchen <dongchenchen2@huawei.com>
Showing
想要评论请 注册 或 登录