proc connector: reject unprivileged listener bumps

While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible for an unprivileged user to turn off notifications for all listeners by sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as required for a multicast bind. Signed-off-by: N Kees Cook <keescook@chromium.org> Cc: Evgeniy Polyakov <zbr@ioremap.net> Cc: Matt Helsley <matthltc@us.ibm.com> Cc: stable@vger.kernel.org Acked-by: N Evgeniy Polyakov <zbr@ioremap.net> Acked-by: N Matt Helsley <matthltc@us.ibm.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

proc connector: reject unprivileged listener bumps
While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible for an unprivileged user to turn off notifications for all listeners by sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as required for a multicast bind. Signed-off-by: N Kees Cook <keescook@chromium.org> Cc: Evgeniy Polyakov <zbr@ioremap.net> Cc: Matt Helsley <matthltc@us.ibm.com> Cc: stable@vger.kernel.org Acked-by: N Evgeniy Polyakov <zbr@ioremap.net> Acked-by: N Matt Helsley <matthltc@us.ibm.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
e70ab977 · Kees Cook · David S. Miller · 114a6f8b · e70ab977
隐藏空白更改
内联并排

Showing with 8 addition and 0 deletion

drivers/connector/cn_proc.c drivers/connector/cn_proc.c +8 -0

未找到文件。
--- a/drivers/connector/cn_proc.c
+++ b/drivers/connector/cn_proc.c
@@ -313,6 +313,12 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg,
 	    (task_active_pid_ns(current) != &init_pid_ns))
 		return;

+	/* Can only change if privileged. */
+	if (!capable(CAP_NET_ADMIN)) {
+		err = EPERM;
+		goto out;
+	}
+
 	mc_op = (enum proc_cn_mcast_op *)msg->data;
 	switch (*mc_op) {
 	case PROC_CN_MCAST_LISTEN:
@@ -325,6 +331,8 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg,
 		err = EINVAL;
 		break;
 	}
+
+out:
 	cn_proc_ack(err, msg->seq, msg->ack);
 }