From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: "Michal Koutný" <mkoutny@suse.com>
Cc: cve@kernel.org, linux-kernel@vger.kernel.org,
linux-cve-announce@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: CVE-2021-47285: net/nfc/rawsock.c: fix a permission check bug
Date: Tue, 2 Jul 2024 21:19:33 +0200 [thread overview]
Message-ID: <2024070208-legume-possible-de8b@gregkh> (raw)
In-Reply-To: <4bka5bbczovc7z3tplqjlsfukf6qneg4wwddixgodsgqkudwlu@yws3uczmtzsn>
On Tue, Jul 02, 2024 at 06:15:09PM +0200, Michal Koutný wrote:
> Hello.
>
> On Tue, May 21, 2024 at 04:20:39PM GMT, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> > In the Linux kernel, the following vulnerability has been resolved:
> >
> > net/nfc/rawsock.c: fix a permission check bug
> >
> > The function rawsock_create() calls a privileged function sk_alloc(), which requires a ns-aware check to check net->user_ns, i.e., ns_capable(). However, the original code checks the init_user_ns using capable(). So we replace the capable() with ns_capable().
> >
> > The Linux kernel CVE team has assigned CVE-2021-47285 to this issue.
> > ...
> > https://git.kernel.org/stable/c/8ab78863e9eff11910e1ac8bcf478060c29b379e
>
> Despite the patch changes guard related to EPERM bailout, it actually
> swaps a "stronger" predicate capable() for a "weaker" ns_capable().
>
> Without the patch, an unprivilged user is not allowed to create nfc
> SOCK_RAW inside owned netns, with the patch, it's allowed.
Ah, we misread this, thinking it went up in security, not "down".
And this was from the old GSD ids, odd that no one noticed it then :(
Anyway, now rejected, thanks for the review!
greg k-h
prev parent reply other threads:[~2024-07-02 19:19 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2024052155-CVE-2021-47285-4fee@gregkh>
2024-07-02 16:15 ` CVE-2021-47285: net/nfc/rawsock.c: fix a permission check bug Michal Koutný
2024-07-02 19:19 ` Greg Kroah-Hartman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024070208-legume-possible-de8b@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=cve@kernel.org \
--cc=linux-cve-announce@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkoutny@suse.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).