[SRU OEM-6.0 0/3] CVE-2023-1076

Cengiz Can cengiz.can at canonical.com
Thu Aug 24 11:06:00 UTC 2023


[Impact]
A flaw was found in the Linux Kernel. The tun/tap sockets have their socket
UID hardcoded to 0 due to a type confusion in their initialization function.
While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it
may not always be the case, e.g., a non-root user only having that capability.
This would make tun/tap sockets being incorrectly treated in filtering/routing
decisions, possibly bypassing network filters.

[Fix]
Cherry picked from upstream.

[Test case]
Compile, boot and basic tunctl functionality tested.

[Potential regression]
CVE-2023-4194 is a followup for this so this has a high regression potential.

Pietro Borrello (3):
  net: add sock_init_data_uid()
  tun: tun_chr_open(): correctly initialize socket uid
  tap: tap_open(): correctly initialize socket uid

 drivers/net/tap.c  |  2 +-
 drivers/net/tun.c  |  2 +-
 include/net/sock.h |  7 ++++++-
 net/core/sock.c    | 15 ++++++++++++---
 4 files changed, 20 insertions(+), 6 deletions(-)

-- 
2.39.2




More information about the kernel-team mailing list