[PATCH 4/5] net: fix incorrect credentials passing (CVE-2013-1979)

John Johansen john.johansen at canonical.com
Tue Apr 30 20:59:04 UTC 2013

From: Linus Torvalds <torvalds at linux-foundation.org>

Commit 257b5358b32f ("scm: Capture the full credentials of the scm
sender") changed the credentials passing code to pass in the effective
uid/gid instead of the real uid/gid.

Obviously this doesn't matter most of the time (since normally they are
the same), but it results in differences for suid binaries when the wrong
uid/gid ends up being used.

This just undoes that (presumably unintentional) part of the commit.

Reported-by: Andy Lutomirski <luto at amacapital.net>
Cc: Eric W. Biederman <ebiederm at xmission.com>
Cc: Serge E. Hallyn <serge at hallyn.com>
Cc: David S. Miller <davem at davemloft.net>
Cc: stable at vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Acked-by: "Eric W. Biederman" <ebiederm at xmission.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

(cherry picked from commit 83f1b4ba917db5dc5a061a44b3403ddb6e783494)
BugLink: https://launchpad.net/bugs/1174827
Signed-off-by: John Johansen <john.johansen at canonical.com>
 include/net/scm.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/net/scm.h b/include/net/scm.h
index 975cca0..b117081 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -56,8 +56,8 @@ static __inline__ void scm_set_cred(struct scm_cookie *scm,
 	scm->pid  = get_pid(pid);
 	scm->cred = cred ? get_cred(cred) : NULL;
 	scm->creds.pid = pid_vnr(pid);
-	scm->creds.uid = cred ? cred->euid : INVALID_UID;
-	scm->creds.gid = cred ? cred->egid : INVALID_GID;
+	scm->creds.uid = cred ? cred->uid : INVALID_UID;
+	scm->creds.gid = cred ? cred->gid : INVALID_GID;
 static __inline__ void scm_destroy_cred(struct scm_cookie *scm)

More information about the kernel-team mailing list