* Re: CVE-2021-47285: net/nfc/rawsock.c: fix a permission check bug
[not found] <2024052155-CVE-2021-47285-4fee@gregkh>
@ 2024-07-02 16:15 ` Michal Koutný
2024-07-02 19:19 ` Greg Kroah-Hartman
0 siblings, 1 reply; 2+ messages in thread
From: Michal Koutný @ 2024-07-02 16:15 UTC (permalink / raw)
To: cve, linux-kernel; +Cc: linux-cve-announce, Greg Kroah-Hartman, netdev
[-- Attachment #1: Type: text/plain, Size: 1045 bytes --]
Hello.
On Tue, May 21, 2024 at 04:20:39PM GMT, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> In the Linux kernel, the following vulnerability has been resolved:
>
> net/nfc/rawsock.c: fix a permission check bug
>
> The function rawsock_create() calls a privileged function sk_alloc(), which requires a ns-aware check to check net->user_ns, i.e., ns_capable(). However, the original code checks the init_user_ns using capable(). So we replace the capable() with ns_capable().
>
> The Linux kernel CVE team has assigned CVE-2021-47285 to this issue.
> ...
> https://git.kernel.org/stable/c/8ab78863e9eff11910e1ac8bcf478060c29b379e
Despite the patch changes guard related to EPERM bailout, it actually
swaps a "stronger" predicate capable() for a "weaker" ns_capable().
Without the patch, an unprivilged user is not allowed to create nfc
SOCK_RAW inside owned netns, with the patch, it's allowed.
That's a functional change but not security related. Or have I missed a
negation somewhere?
Thanks,
Michal
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: CVE-2021-47285: net/nfc/rawsock.c: fix a permission check bug
2024-07-02 16:15 ` CVE-2021-47285: net/nfc/rawsock.c: fix a permission check bug Michal Koutný
@ 2024-07-02 19:19 ` Greg Kroah-Hartman
0 siblings, 0 replies; 2+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-02 19:19 UTC (permalink / raw)
To: Michal Koutný; +Cc: cve, linux-kernel, linux-cve-announce, netdev
On Tue, Jul 02, 2024 at 06:15:09PM +0200, Michal Koutný wrote:
> Hello.
>
> On Tue, May 21, 2024 at 04:20:39PM GMT, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> > In the Linux kernel, the following vulnerability has been resolved:
> >
> > net/nfc/rawsock.c: fix a permission check bug
> >
> > The function rawsock_create() calls a privileged function sk_alloc(), which requires a ns-aware check to check net->user_ns, i.e., ns_capable(). However, the original code checks the init_user_ns using capable(). So we replace the capable() with ns_capable().
> >
> > The Linux kernel CVE team has assigned CVE-2021-47285 to this issue.
> > ...
> > https://git.kernel.org/stable/c/8ab78863e9eff11910e1ac8bcf478060c29b379e
>
> Despite the patch changes guard related to EPERM bailout, it actually
> swaps a "stronger" predicate capable() for a "weaker" ns_capable().
>
> Without the patch, an unprivilged user is not allowed to create nfc
> SOCK_RAW inside owned netns, with the patch, it's allowed.
Ah, we misread this, thinking it went up in security, not "down".
And this was from the old GSD ids, odd that no one noticed it then :(
Anyway, now rejected, thanks for the review!
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-07-02 19:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <2024052155-CVE-2021-47285-4fee@gregkh>
2024-07-02 16:15 ` CVE-2021-47285: net/nfc/rawsock.c: fix a permission check bug Michal Koutný
2024-07-02 19:19 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).