net: tun_chr_open(): set sk_uid from current_fsuid()
commit 9bc3047374d5bec163e83e743709e23753376f0c upstream.
Commit a096ccca6e50 initializes the "sk_uid" field in the protocol socket
(struct sock) from the "/dev/net/tun" device node's owner UID. Per
original commit 86741ec25462 ("net: core: Add a UID field to struct
sock.", 2016-11-04), that's wrong: the idea is to cache the UID of the
userspace process that creates the socket. Commit 86741ec25462 mentions
socket() and accept(); with "tun", the action that creates the socket is
open("/dev/net/tun").
Therefore the device node's owner UID is irrelevant. In most cases,
"/dev/net/tun" will be owned by root, so in practice, commit a096ccca6e50
has no observable effect:
- before, "sk_uid" would be zero, due to undefined behavior
(CVE-2023-1076),
- after, "sk_uid" would be zero, due to "/dev/net/tun" being owned by root.
What matters is the (fs)UID of the process performing the open(), so cache
that in "sk_uid".
BUG=b/296028784
TEST=presubmit
SOURCE=UPSTREAM(9bc3047374d5)
RELEASE_NOTE=Fixed CVE-2023-4194 in the Linux kernel.
Fixes: a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid")
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173435
Change-Id: Iea0089d383b035e909c40e333778847b4f2b9703
Signed-off-by: Laszlo Ersek <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/55019
Tested-by: Cusky Presubmit Bot <[email protected]>
Reviewed-by: Oleksandr Tymoshenko <[email protected]>
1 file changed
