ACK: [SRU OEM-6.0 0/3] CVE-2023-1076
Tim Gardner
tim.gardner at canonical.com
Fri Aug 25 14:34:31 UTC 2023
On 8/24/23 5:06 AM, Cengiz Can wrote:
> [Impact]
> A flaw was found in the Linux Kernel. The tun/tap sockets have their socket
> UID hardcoded to 0 due to a type confusion in their initialization function.
> While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it
> may not always be the case, e.g., a non-root user only having that capability.
> This would make tun/tap sockets being incorrectly treated in filtering/routing
> decisions, possibly bypassing network filters.
>
> [Fix]
> Cherry picked from upstream.
>
> [Test case]
> Compile, boot and basic tunctl functionality tested.
>
> [Potential regression]
> CVE-2023-4194 is a followup for this so this has a high regression potential.
>
> Pietro Borrello (3):
> net: add sock_init_data_uid()
> tun: tun_chr_open(): correctly initialize socket uid
> tap: tap_open(): correctly initialize socket uid
>
> drivers/net/tap.c | 2 +-
> drivers/net/tun.c | 2 +-
> include/net/sock.h | 7 ++++++-
> net/core/sock.c | 15 ++++++++++++---
> 4 files changed, 20 insertions(+), 6 deletions(-)
>
Acked-by: Tim Gardner <tim.gardner at canonical.com>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list