Re: [PATCH urgent] netlink: Only check file credentials for implicit destinations

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Jiri Benc <jbenc@redhat.com>
To: Network Development <netdev@vger.kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Daniel Borkmann <dborkman@redhat.com>
Subject: Re: [PATCH urgent] netlink: Only check file credentials for implicit destinations
Date: Wed, 4 Jun 2014 18:01:31 +0200	[thread overview]
Message-ID: <20140604180131.1bc17fe8@griffin> (raw)
In-Reply-To: <06bbac8182aa1054ab8f6392f14e9148def0f561.1401472882.git.luto@amacapital.net>

On Fri, 30 May 2014 11:04:00 -0700, Andy Lutomirski wrote:
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -1373,7 +1373,9 @@ retry:
>  bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
>  			struct user_namespace *user_ns, int cap)
>  {
> -	return sk_ns_capable(nsp->sk, user_ns, cap);
> +	return ((nsp->flags & NETLINK_SKB_DST) ||
> +		file_ns_capable(nsp->sk->sk_socket->file, user_ns, cap)) &&
> +		ns_capable(user_ns, cap);

Sorry if I'm missing something. Is socket->file valid (non-NULL) in
kernel->kernel netlink communication? I don't think it's assigned for
sockets created by netlink_kernel_create, is it? Seems this would cause
NULL ptr dereference.

But then, I don't even know whether kernel->kernel netlink
communication is allowed.

(I'm aware that if this is really the case the NULL ptr deref is not
caused by this patch but by the one this is fixing.)

Thanks,

 Jiri

-- 
Jiri Benc

     prev parent reply	other threads:[~2014-06-04 16:01 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-30 18:04 [PATCH urgent] netlink: Only check file credentials for implicit destinations Andy Lutomirski
2014-06-02 23:34 ` David Miller
2014-06-04 16:01 ` Jiri Benc [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140604180131.1bc17fe8@griffin \
    --to=jbenc@redhat.com \
    --cc=dborkman@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=luto@amacapital.net \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).