net: fix incorrect credentials passing
CVE-2013-1979
[ Upstream commit 83f1b4ba917db5dc5a061a44b3403ddb6e783494 ]
Commit 257b5358b3 ("scm: Capture the full credentials of the scm
sender") changed the credentials passing code to pass in the effective
uid/gid instead of the real uid/gid.
Obviously this doesn't matter most of the time (since normally they are
the same), but it results in differences for suid binaries when the wrong
uid/gid ends up being used.
This just undoes that (presumably unintentional) part of the commit.
Reported-by: Andy Lutomirski <luto@amacapital.net>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
This commit is contained in:
Linus Torvalds
committed by
Tim Gardner
Tim Gardner
parent
68abafa89d
commit
d665c750d6
@@ -316,7 +316,8 @@ struct ucred {
|
||||
/* IPX options */
|
||||
#define IPX_TYPE 1
|
||||
|
||||
extern void cred_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred);
|
||||
extern void cred_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred,
|
||||
bool use_effective);
|
||||
|
||||
extern int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len);
|
||||
extern int memcpy_fromiovecend(unsigned char *kdata, const struct iovec *iov,
|
||||
|
||||
@@ -50,7 +50,7 @@ static __inline__ void scm_set_cred(struct scm_cookie *scm,
|
||||
{
|
||||
scm->pid = get_pid(pid);
|
||||
scm->cred = cred ? get_cred(cred) : NULL;
|
||||
cred_to_ucred(pid, cred, &scm->creds);
|
||||
cred_to_ucred(pid, cred, &scm->creds, false);
|
||||
}
|
||||
|
||||
static __inline__ void scm_destroy_cred(struct scm_cookie *scm)
|
||||
|
||||
@@ -814,15 +814,20 @@ EXPORT_SYMBOL(sock_setsockopt);
|
||||
|
||||
|
||||
void cred_to_ucred(struct pid *pid, const struct cred *cred,
|
||||
struct ucred *ucred)
|
||||
struct ucred *ucred, bool use_effective)
|
||||
{
|
||||
ucred->pid = pid_vnr(pid);
|
||||
ucred->uid = ucred->gid = -1;
|
||||
if (cred) {
|
||||
struct user_namespace *current_ns = current_user_ns();
|
||||
|
||||
if (use_effective) {
|
||||
ucred->uid = user_ns_map_uid(current_ns, cred, cred->euid);
|
||||
ucred->gid = user_ns_map_gid(current_ns, cred, cred->egid);
|
||||
} else {
|
||||
ucred->uid = user_ns_map_uid(current_ns, cred, cred->uid);
|
||||
ucred->gid = user_ns_map_gid(current_ns, cred, cred->gid);
|
||||
}
|
||||
}
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(cred_to_ucred);
|
||||
@@ -983,7 +988,8 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
|
||||
struct ucred peercred;
|
||||
if (len > sizeof(peercred))
|
||||
len = sizeof(peercred);
|
||||
cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred);
|
||||
cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred,
|
||||
&peercred, true);
|
||||
if (copy_to_user(optval, &peercred, len))
|
||||
return -EFAULT;
|
||||
goto lenout;
|
||||
|
||||
Reference in New Issue
Block a user