From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
"David S. Miller" <davem@davemloft.net>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [ 16/30] net: fix incorrect credentials passing
Date: Mon, 29 Apr 2013 12:02:40 -0700 [thread overview]
Message-ID: <20130429184357.141645203@linuxfoundation.org> (raw)
In-Reply-To: <20130429184355.299556377@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
[ Upstream commit 83f1b4ba917db5dc5a061a44b3403ddb6e783494 ]
Commit 257b5358b32f ("scm: Capture the full credentials of the scm
sender") changed the credentials passing code to pass in the effective
uid/gid instead of the real uid/gid.
Obviously this doesn't matter most of the time (since normally they are
the same), but it results in differences for suid binaries when the wrong
uid/gid ends up being used.
This just undoes that (presumably unintentional) part of the commit.
Reported-by: Andy Lutomirski <luto@amacapital.net>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/socket.h | 3 ++-
include/net/scm.h | 2 +-
net/core/sock.c | 14 ++++++++++----
3 files changed, 13 insertions(+), 6 deletions(-)
--- a/include/linux/socket.h
+++ b/include/linux/socket.h
@@ -312,7 +312,8 @@ struct ucred {
/* IPX options */
#define IPX_TYPE 1
-extern void cred_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred);
+extern void cred_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred,
+ bool use_effective);
extern int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len);
extern int memcpy_fromiovecend(unsigned char *kdata, const struct iovec *iov,
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -50,7 +50,7 @@ static __inline__ void scm_set_cred(stru
{
scm->pid = get_pid(pid);
scm->cred = get_cred(cred);
- cred_to_ucred(pid, cred, &scm->creds);
+ cred_to_ucred(pid, cred, &scm->creds, false);
}
static __inline__ void scm_destroy_cred(struct scm_cookie *scm)
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -752,15 +752,20 @@ EXPORT_SYMBOL(sock_setsockopt);
void cred_to_ucred(struct pid *pid, const struct cred *cred,
- struct ucred *ucred)
+ struct ucred *ucred, bool use_effective)
{
ucred->pid = pid_vnr(pid);
ucred->uid = ucred->gid = -1;
if (cred) {
struct user_namespace *current_ns = current_user_ns();
- ucred->uid = user_ns_map_uid(current_ns, cred, cred->euid);
- ucred->gid = user_ns_map_gid(current_ns, cred, cred->egid);
+ if (use_effective) {
+ ucred->uid = user_ns_map_uid(current_ns, cred, cred->euid);
+ ucred->gid = user_ns_map_gid(current_ns, cred, cred->egid);
+ } else {
+ ucred->uid = user_ns_map_uid(current_ns, cred, cred->uid);
+ ucred->gid = user_ns_map_gid(current_ns, cred, cred->gid);
+ }
}
}
EXPORT_SYMBOL_GPL(cred_to_ucred);
@@ -921,7 +926,8 @@ int sock_getsockopt(struct socket *sock,
struct ucred peercred;
if (len > sizeof(peercred))
len = sizeof(peercred);
- cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred);
+ cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred,
+ &peercred, true);
if (copy_to_user(optval, &peercred, len))
return -EFAULT;
goto lenout;
next prev parent reply other threads:[~2013-04-29 19:02 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-29 19:02 [ 00/30] 3.0.76-stable review Greg Kroah-Hartman
2013-04-29 19:02 ` [ 01/30] TTY: do not update atime/mtime on read/write Greg Kroah-Hartman
2013-04-29 19:02 ` [ 02/30] TTY: fix atime/mtime regression Greg Kroah-Hartman
2013-04-29 19:02 ` [ 03/30] sparc64: Fix race in TLB batch processing Greg Kroah-Hartman
2013-04-29 19:02 ` [ 04/30] cbq: incorrect processing of high limits Greg Kroah-Hartman
2013-04-29 19:02 ` [ 05/30] net IPv6 : Fix broken IPv6 routing table after loopback down-up Greg Kroah-Hartman
2013-04-29 19:02 ` [ 06/30] net: count hw_addr syncs so that unsync works properly Greg Kroah-Hartman
2013-04-29 19:02 ` [ 07/30] atl1e: limit gso segment size to prevent generation of wrong ip length fields Greg Kroah-Hartman
2013-04-29 19:02 ` [ 08/30] bonding: IFF_BONDING is not stripped on enslave failure Greg Kroah-Hartman
2013-04-29 19:02 ` [ 09/30] af_unix: If we dont care about credentials coallesce all messages Greg Kroah-Hartman
2013-04-29 19:02 ` [ 10/30] netfilter: dont reset nf_trace in nf_reset() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 11/30] rtnetlink: Call nlmsg_parse() with correct header length Greg Kroah-Hartman
2013-04-29 19:02 ` [ 12/30] tcp: incoming connections might use wrong route under synflood Greg Kroah-Hartman
2013-04-29 19:02 ` [ 13/30] esp4: fix error return code in esp_output() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 14/30] net: sctp: sctp_auth_key_put: use kzfree instead of kfree Greg Kroah-Hartman
2013-04-29 19:02 ` [ 15/30] tcp: call tcp_replace_ts_recent() from tcp_ack() Greg Kroah-Hartman
2013-04-29 19:02 ` Greg Kroah-Hartman [this message]
2013-04-29 19:02 ` [ 17/30] atm: update msg_namelen in vcc_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 18/30] ax25: fix info leak via msg_name in ax25_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 19/30] Bluetooth: fix possible info leak in bt_sock_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 20/30] Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 21/30] caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 22/30] irda: Fix missing msg_namelen update in irda_recvmsg_dgram() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 23/30] iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 24/30] llc: Fix missing msg_namelen update in llc_ui_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 25/30] netrom: fix info leak via msg_name in nr_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 26/30] rose: fix info leak via msg_name in rose_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 27/30] tipc: fix info leaks via msg_name in recv_msg/recv_stream Greg Kroah-Hartman
2013-04-29 19:02 ` [ 28/30] netrom: fix invalid use of sizeof in nr_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 29/30] net: drop dst before queueing fragments Greg Kroah-Hartman
2013-04-29 19:02 ` [ 30/30] sparc32: support atomic64_t Greg Kroah-Hartman
2013-04-30 1:53 ` [ 00/30] 3.0.76-stable review Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130429184357.141645203@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox