[4/5] net: fix incorrect credentials passing (CVE-2013-1979)

Message ID 1367355545-10432-5-git-send-email-john.johansen@canonical.com
State New
Headers show

Commit Message

John Johansen April 30, 2013, 8:59 p.m.
From: Linus Torvalds <torvalds@linux-foundation.org>

Commit 257b5358b32f ("scm: Capture the full credentials of the scm
sender") changed the credentials passing code to pass in the effective
uid/gid instead of the real uid/gid.

Obviously this doesn't matter most of the time (since normally they are
the same), but it results in differences for suid binaries when the wrong
uid/gid ends up being used.

This just undoes that (presumably unintentional) part of the commit.

Reported-by: Andy Lutomirski <luto@amacapital.net>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry picked from commit 83f1b4ba917db5dc5a061a44b3403ddb6e783494)
BugLink: https://launchpad.net/bugs/1174827
Signed-off-by: John Johansen <john.johansen@canonical.com>
 include/net/scm.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


diff --git a/include/net/scm.h b/include/net/scm.h
index 975cca0..b117081 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -56,8 +56,8 @@  static __inline__ void scm_set_cred(struct scm_cookie *scm,
 	scm->pid  = get_pid(pid);
 	scm->cred = cred ? get_cred(cred) : NULL;
 	scm->creds.pid = pid_vnr(pid);
-	scm->creds.uid = cred ? cred->euid : INVALID_UID;
-	scm->creds.gid = cred ? cred->egid : INVALID_GID;
+	scm->creds.uid = cred ? cred->uid : INVALID_UID;
+	scm->creds.gid = cred ? cred->gid : INVALID_GID;
 static __inline__ void scm_destroy_cred(struct scm_cookie *scm)