[PATCH 02/10] tun: Fix races in tun_set_iff

All of lore.kernel.org
 help / color / mirror / Atom feed

From: ebiederm@xmission.com (Eric W. Biederman)
To: David Miller <davem@davemloft.net>
Cc: <netdev@vger.kernel.org>, Max Krasnyansky <maxk@qualcomm.com>,
	Pavel Emelyanov <xemul@openvz.org>, <netdev@vger.kernel.org>
Subject: [PATCH 02/10] tun: Fix races in tun_set_iff
Date: Tue, 20 Jan 2009 12:57:48 -0800	[thread overview]
Message-ID: <m1mydllmpf.fsf_-_@fess.ebiederm.org> (raw)
In-Reply-To: <m1skndlmrv.fsf@fess.ebiederm.org> (Eric W. Biederman's message of "Tue\, 20 Jan 2009 12\:56\:20 -0800")


It is possible for two different tasks with access to the same file
descriptor to call tun_set_iff on it at the same time and race to
attach to a tap device.  Prevent this by placing all of the logic to
attach to a file descriptor in one function and testing the file
descriptor to be certain it is not already attached to another tun
device.

Signed-off-by: Eric W. Biederman <ebiederm@aristanetworks.com>
---
 drivers/net/tun.c |   48 ++++++++++++++++++++++++++++++++----------------
 1 files changed, 32 insertions(+), 16 deletions(-)

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 17923a5..20ef14d 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -106,6 +106,31 @@ struct tun_struct {
 #endif
 };
 
+static int tun_attach(struct tun_struct *tun, struct file *file)
+{
+	const struct cred *cred = current_cred();
+
+	ASSERT_RTNL();
+
+	if (file->private_data)
+		return -EINVAL;
+
+	if (tun->attached)
+		return -EBUSY;
+
+	/* Check permissions */
+	if (((tun->owner != -1 && cred->euid != tun->owner) ||
+	     (tun->group != -1 && cred->egid != tun->group)) &&
+		!capable(CAP_NET_ADMIN))
+		return -EPERM;
+
+	file->private_data = tun;
+	tun->attached = 1;
+	get_net(dev_net(tun->dev));
+
+	return 0;
+}
+
 /* TAP filterting */
 static void addr_hash_set(u32 *mask, const u8 *addr)
 {
@@ -695,7 +720,6 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 {
 	struct tun_struct *tun;
 	struct net_device *dev;
-	const struct cred *cred = current_cred();
 	int err;
 
 	dev = __dev_get_by_name(net, ifr->ifr_name);
@@ -707,17 +731,9 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 		else
 			return -EINVAL;
 
-		if (tun->attached)
-			return -EBUSY;
-
-		/* Check permissions */
-		if (((tun->owner != -1 &&
-		      cred->euid != tun->owner) ||
-		     (tun->group != -1 &&
-		      cred->egid != tun->group)) &&
-		    !capable(CAP_NET_ADMIN)) {
-			return -EPERM;
-		}
+		err = tun_attach(tun, file);
+		if (err < 0)
+			return err;
 	}
 	else {
 		char *name;
@@ -766,6 +782,10 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 		err = register_netdevice(tun->dev);
 		if (err < 0)
 			goto err_free_dev;
+
+		err = tun_attach(tun, file);
+		if (err < 0)
+			goto err_free_dev;
 	}
 
 	DBG(KERN_INFO "%s: tun_set_iff\n", tun->dev->name);
@@ -785,10 +805,6 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 	else
 		tun->flags &= ~TUN_VNET_HDR;
 
-	file->private_data = tun;
-	tun->attached = 1;
-	get_net(dev_net(tun->dev));
-
 	/* Make sure persistent devices do not get stuck in
 	 * xoff state.
 	 */
-- 
1.5.6.3

next prev parent reply	other threads:[~2009-01-21  2:45 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-01-20 20:53 [PATCH 0/10] Tun fixes and netns migration Eric W. Biederman
2009-01-20 20:56 ` [PATCH 01/10] tun: Remove unnecessary tun_get_by_name Eric W. Biederman
2009-01-20 20:57   ` Eric W. Biederman [this message]
2009-01-20 20:59     ` [PATCH 03/10] tun: Use POLLERR not EBADF in tun_chr_poll Eric W. Biederman
2009-01-20 21:00       ` [PATCH 04/10] tun: Introduce tun_file Eric W. Biederman
2009-01-20 21:01         ` [PATCH 05/10] tun: Grab the netns in open Eric W. Biederman
2009-01-20 21:02           ` [PATCH 06/10] tun: Make tun_net_xmit atomic wrt tun_attach && tun_detach Eric W. Biederman
2009-01-20 21:03             ` [PATCH 07/10] tun: Move read_wait into tun_file Eric W. Biederman
2009-01-20 21:07               ` [PATCH 08/10] tun: Fix races between tun_net_close and free_netdev Eric W. Biederman
2009-01-20 21:08                 ` [PATCH 09/10] tun: There is no longer any need to deny changing network namespaces Eric W. Biederman
2009-01-22  0:03 ` [PATCH 0/10] Tun fixes and netns migration David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:17923a5 dfblob:20ef14d )
 OR (
bs:"[PATCH 02/10] tun: Fix races in tun_set_iff" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m1mydllmpf.fsf_-_@fess.ebiederm.org \
    --to=ebiederm@xmission.com \
    --cc=davem@davemloft.net \
    --cc=maxk@qualcomm.com \
    --cc=netdev@vger.kernel.org \
    --cc=xemul@openvz.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.