APPLIED[L/J/F/HWE-5.19]: [SRU Focal, Jammy, HWE-5.19, OEM-6.0, Lunar 0/2] CVE-2023-4194

[Stefan Bader]

On 24.08.23 13:08, Cengiz Can wrote:
> [Impact]
> A flaw was found in the Linux kernel’s TUN/TAP functionality. This issue could
> allow a local user to bypass network filters and gain unauthorized access to
> some resources. The original patches fixing CVE-2023-1076 are incorrect or
> incomplete. The problem is that the following upstream commits - a096ccca6e50
> (“tun: tun_chr_open(): correctly initialize socket uid”), - 66b2c338adce
> (“tap: tap_open(): correctly initialize socket uid”), pass “inode->i_uid” to
> sock_init_data_uid() as the last parameter and that turns out to not be
> accurate.
> 
> [Fix]
> Cherry picked from upstream.
> 
> [Test case]
> Compile, boot and tunctl basic functionality tested.
> 
> [Potential regression]
> TUN/TAP users might be affected. However very unlikely.
> 
> Laszlo Ersek (2):
>    net: tun_chr_open(): set sk_uid from current_fsuid()
>    net: tap_open(): set sk_uid from current_fsuid()
> 
>   drivers/net/tap.c | 2 +-
>   drivers/net/tun.c | 2 +-
>   2 files changed, 2 insertions(+), 2 deletions(-)
> 

Applied to lunar,jammy,focal:linux/master-next and 
jammy:linux-hwe-5.19/hwe-5.19-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230831/f5718d0a/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230831/f5718d0a/attachment-0001.sig>