All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Maximilian Heyne" <mheyne@amazon.de>
Cc: "Oliver Hartkopp" <socketcan@hartkopp.net>,
	linux-can@vger.kernel.org,
	"Oleksij Rempel" <o.rempel@pengutronix.de>,
	"Marc Kleine-Budde" <mkl@pengutronix.de>,
	"Vincent Mailhol" <mailhol@kernel.org>
Subject: Re: [PATCH 6.6.y] net: add missing ns_capable check for peer netns
Date: Thu, 18 Jun 2026 08:27:44 +0000	[thread overview]
Message-ID: <20260618082744.9613C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260617-sprain-dye-86c242ac@mheyne-amazon>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Using `ns_capable()` instead of `netlink_ns_capable()` bypasses file descriptor capability checks, leaving the kernel vulnerable to confused deputy privilege escalation attacks via netlink fd passing.
--

commit 7cb10271bfe1888c97bd5ddcadbd3ed1e69fb9b0
Author: Maximilian Heyne <mheyne@amazon.de>

net: add missing ns_capable check for peer netns

This commit attempts to fix CVE-2026-31692 by approximating the 
netlink_ns_capable() check with ns_capable() directly in the respective 
interface types. It assumes that because the newlink operation is 
synchronous, this will result in the same behavior.

> diff --git a/drivers/net/can/vxcan.c b/drivers/net/can/vxcan.c
> index 98c669ad51414..da4affff65476 100644
> --- a/drivers/net/can/vxcan.c
> +++ b/drivers/net/can/vxcan.c
> @@ -211,6 +211,11 @@ static int vxcan_newlink(struct net *net, struct net_device *dev,
>  	if (IS_ERR(peer_net))
>  		return PTR_ERR(peer_net);
>  
> +	if (!ns_capable(peer_net->user_ns, CAP_NET_ADMIN)) {

[Severity: High]
Does using ns_capable() instead of netlink_ns_capable() leave the kernel
vulnerable to confused deputy attacks via file descriptor passing?

Because ns_capable() only evaluates current_cred(), an unprivileged
attacker could create a netlink socket, craft an RTM_NEWLINK payload,
and pass the socket fd (e.g., via SCM_RIGHTS) to a privileged process.
When the privileged deputy writes to the socket, this ns_capable() check
would succeed using the deputy's credentials, ignoring the fact that the
socket was opened by an unprivileged user.

netlink_ns_capable() explicitly checks both the socket opener
(file_ns_capable) and the sender (ns_capable) to prevent exactly this
scenario. Could this approach be revised to ensure the socket opener's
credentials are also verified?

> +		put_net(peer_net);
> +		return -EPERM;
> +	}
> +
>  	peer = rtnl_create_link(peer_net, ifname, name_assign_type,
>  				&vxcan_link_ops, tbp, extack);

[ ... ]

> diff --git a/drivers/net/veth.c b/drivers/net/veth.c
> index 2b3b0beb55c88..ba4ca6c6bc9d8 100644
> --- a/drivers/net/veth.c
> +++ b/drivers/net/veth.c
> @@ -1857,6 +1857,11 @@ static int veth_newlink(struct net *src_net, struct net_device *dev,
>  	if (IS_ERR(net))
>  		return PTR_ERR(net);
>  
> +	if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {

[Severity: High]
Would this ns_capable() check in veth_newlink() similarly bypass the
socket opener credential check?

As with vxcan_newlink(), using ns_capable() alone seems to bypass the
file descriptor capability checks that netlink_ns_capable() provides,
potentially allowing privilege escalation if the netlink fd is passed
to a more privileged process.

> +		put_net(net);
> +		return -EPERM;
> +	}
> +
>  	peer = rtnl_create_link(net, ifname, name_assign_type,
>  				&veth_link_ops, tbp, extack);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260617-sprain-dye-86c242ac@mheyne-amazon?part=1

  reply	other threads:[~2026-06-18  8:27 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-17  8:26 [PATCH 6.6.y] net: add missing ns_capable check for peer netns Maximilian Heyne
2026-06-18  8:27 ` sashiko-bot [this message]
2026-07-02 14:14 ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260618082744.9613C1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=linux-can@vger.kernel.org \
    --cc=mailhol@kernel.org \
    --cc=mheyne@amazon.de \
    --cc=mkl@pengutronix.de \
    --cc=o.rempel@pengutronix.de \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=socketcan@hartkopp.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.