Patchwork [3/5] userns: Check uid_map's opener's fsuid, not the current fsuid (CVE-2013-1959)

login
register
mail settings
Submitter John Johansen
Date April 30, 2013, 8:59 p.m.
Message ID <1367355545-10432-4-git-send-email-john.johansen@canonical.com>
Download mbox | patch
Permalink /patch/240693/
State New
Headers show

Comments

John Johansen - April 30, 2013, 8:59 p.m.
From: Andy Lutomirski <luto@amacapital.net>

Signed-off-by: Andy Lutomirski <luto@amacapital.net>

(cherry picked from commit e3211c120a85b792978bcb4be7b2886df18d27f0)
CVE-2013-1959
BugLink: https://launchpad.net/bugs/1174590
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 kernel/user_namespace.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Patch

diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index d259d4a..c594802 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -763,12 +763,12 @@  static bool new_idmap_permitted(const struct file *file,
 		u32 id = new_map->extent[0].lower_first;
 		if (cap_setid == CAP_SETUID) {
 			kuid_t uid = make_kuid(ns->parent, id);
-			if (uid_eq(uid, current_fsuid()))
+			if (uid_eq(uid, file->f_cred->fsuid))
 				return true;
 		}
 		else if (cap_setid == CAP_SETGID) {
 			kgid_t gid = make_kgid(ns->parent, id);
-			if (gid_eq(gid, current_fsgid()))
+			if (gid_eq(gid, file->f_cred->fsgid))
 				return true;
 		}
 	}