[SRU OEM-6.0 0/3] CVE-2023-1076
Cengiz Can
cengiz.can at canonical.com
Thu Aug 24 11:06:00 UTC 2023
[Impact]
A flaw was found in the Linux Kernel. The tun/tap sockets have their socket
UID hardcoded to 0 due to a type confusion in their initialization function.
While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it
may not always be the case, e.g., a non-root user only having that capability.
This would make tun/tap sockets being incorrectly treated in filtering/routing
decisions, possibly bypassing network filters.
[Fix]
Cherry picked from upstream.
[Test case]
Compile, boot and basic tunctl functionality tested.
[Potential regression]
CVE-2023-4194 is a followup for this so this has a high regression potential.
Pietro Borrello (3):
net: add sock_init_data_uid()
tun: tun_chr_open(): correctly initialize socket uid
tap: tap_open(): correctly initialize socket uid
drivers/net/tap.c | 2 +-
drivers/net/tun.c | 2 +-
include/net/sock.h | 7 ++++++-
net/core/sock.c | 15 ++++++++++++---
4 files changed, 20 insertions(+), 6 deletions(-)
--
2.39.2
More information about the kernel-team
mailing list