[PATCH] ipv4: ipmr: add socket type checks to ipmr

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] ipv4: ipmr: add socket type checks to ipmr_ioctl()
@ 2026-01-23  7:16 Suchit Karunakaran
  2026-01-23  9:26 ` Eric Dumazet
  0 siblings, 1 reply; 3+ messages in thread
From: Suchit Karunakaran @ 2026-01-23  7:16 UTC (permalink / raw)
  To: davem, dsahern, edumazet, kuba, pabeni
  Cc: horms, netdev, linux-kernel, Suchit Karunakaran

This is the IPv4 counterpart to commit ("ipv6: ip6mr: add socket type
checks to ip6mr_ioctl()") [1].

Similar to the IPv6 issue, ipmr_ioctl() and ipmr_compat_ioctl() access
raw_sk(sk)->ipmr_table without first verifying that the socket is a raw
socket with IPPROTO_IGMP protocol.

This allows a permission bypass where a user with CAP_NET_RAW can create
a non-IGMP raw socket (e.g., IPPROTO_UDP, IPPROTO_TCP, or any other
protocol) and use SIOCGETVIFCNT or SIOCGETSGCNT ioctls to query IPv4
multicast routing statistics. This bypasses the access control that
restricts mroute operations to IGMP sockets only.

Add socket type and protocol checks at the beginning of both
ipmr_ioctl() and ipmr_compat_ioctl() to ensure only IGMP raw sockets
can access multicast routing ioctls.

Signed-off-by: Suchit Karunakaran <suchitkarunakaran@gmail.com>

[1] https://lore.kernel.org/all/20260123011444.2044-2-qikeyu2017@gmail.com/
---
 net/ipv4/ipmr.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index ca9eaee4c2ef..eae03a1b8f66 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1643,6 +1643,10 @@ int ipmr_ioctl(struct sock *sk, int cmd, void *arg)
 	struct sioc_sg_req *sr;
 	struct mr_table *mrt;

+	if (sk->sk_type != SOCK_RAW ||
+	    inet_sk(sk)->inet_num != IPPROTO_IGMP)
+		return -EOPNOTSUPP;
+
 	mrt = ipmr_get_table(net, raw_sk(sk)->ipmr_table ? : RT_TABLE_DEFAULT);
 	if (!mrt)
 		return -ENOENT;
@@ -1711,6 +1715,10 @@ int ipmr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
 	struct net *net = sock_net(sk);
 	struct mr_table *mrt;

+	if (sk->sk_type != SOCK_RAW ||
+	    inet_sk(sk)->inet_num != IPPROTO_IGMP)
+		return -EOPNOTSUPP;
+
 	mrt = ipmr_get_table(net, raw_sk(sk)->ipmr_table ? : RT_TABLE_DEFAULT);
 	if (!mrt)
 		return -ENOENT;
-- 
2.52.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] ipv4: ipmr: add socket type checks to ipmr_ioctl()
  2026-01-23  7:16 [PATCH] ipv4: ipmr: add socket type checks to ipmr_ioctl() Suchit Karunakaran
@ 2026-01-23  9:26 ` Eric Dumazet
  2026-01-24 15:25   ` Suchit Karunakaran
  0 siblings, 1 reply; 3+ messages in thread
From: Eric Dumazet @ 2026-01-23  9:26 UTC (permalink / raw)
  To: Suchit Karunakaran
  Cc: davem, dsahern, kuba, pabeni, horms, netdev, linux-kernel

On Fri, Jan 23, 2026 at 10:04 AM Suchit Karunakaran
<suchitkarunakaran@gmail.com> wrote:
>
> This is the IPv4 counterpart to commit ("ipv6: ip6mr: add socket type
> checks to ip6mr_ioctl()") [1].
>
> Similar to the IPv6 issue, ipmr_ioctl() and ipmr_compat_ioctl() access
> raw_sk(sk)->ipmr_table without first verifying that the socket is a raw
> socket with IPPROTO_IGMP protocol.
>
> This allows a permission bypass where a user with CAP_NET_RAW can create
> a non-IGMP raw socket (e.g., IPPROTO_UDP, IPPROTO_TCP, or any other
> protocol) and use SIOCGETVIFCNT or SIOCGETSGCNT ioctls to query IPv4
> multicast routing statistics. This bypasses the access control that
> restricts mroute operations to IGMP sockets only.

Where has this been documented? An RFC perhaps ?

This change could break applications if they were unaware of such rules.

I fail to see how querying statistics could be a risk.

What about the RTNL_FAMILY_IPMR rtnetlink interface ? I am sure it is
available to any user.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] ipv4: ipmr: add socket type checks to ipmr_ioctl()
  2026-01-23  9:26 ` Eric Dumazet
@ 2026-01-24 15:25   ` Suchit Karunakaran
  0 siblings, 0 replies; 3+ messages in thread
From: Suchit Karunakaran @ 2026-01-24 15:25 UTC (permalink / raw)
  To: Eric Dumazet; +Cc: davem, dsahern, kuba, pabeni, horms, netdev, linux-kernel

On Fri, 23 Jan 2026 at 14:57, Eric Dumazet <edumazet@google.com> wrote:
>
> On Fri, Jan 23, 2026 at 10:04 AM Suchit Karunakaran
> <suchitkarunakaran@gmail.com> wrote:
> >
> > This is the IPv4 counterpart to commit ("ipv6: ip6mr: add socket type
> > checks to ip6mr_ioctl()") [1].
> >
> > Similar to the IPv6 issue, ipmr_ioctl() and ipmr_compat_ioctl() access
> > raw_sk(sk)->ipmr_table without first verifying that the socket is a raw
> > socket with IPPROTO_IGMP protocol.
> >
> > This allows a permission bypass where a user with CAP_NET_RAW can create
> > a non-IGMP raw socket (e.g., IPPROTO_UDP, IPPROTO_TCP, or any other
> > protocol) and use SIOCGETVIFCNT or SIOCGETSGCNT ioctls to query IPv4
> > multicast routing statistics. This bypasses the access control that
> > restricts mroute operations to IGMP sockets only.
>
> Where has this been documented? An RFC perhaps ?
>
> This change could break applications if they were unaware of such rules.
>
> I fail to see how querying statistics could be a risk.
>
> What about the RTNL_FAMILY_IPMR rtnetlink interface ? I am sure it is
> available to any user.

Hi Eric. The primary motivations for this patch are the IPv6
counterpart mentioned in the commit message and the commit 5e1859f.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-01-24 15:25 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-23  7:16 [PATCH] ipv4: ipmr: add socket type checks to ipmr_ioctl() Suchit Karunakaran
2026-01-23  9:26 ` Eric Dumazet
2026-01-24 15:25   ` Suchit Karunakaran

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox