diff mbox series

[net-next,1/1] tipc: Fix namespace violation in tipc_sk_fill_sock_diag

Message ID 1522846187-23914-1-git-send-email-mohan.krishna.ghanta.krishnamurthy@ericsson.com
State Accepted, archived
Delegated to: David Miller
Headers show
Series [net-next,1/1] tipc: Fix namespace violation in tipc_sk_fill_sock_diag | expand

Commit Message

GhantaKrishnamurthy MohanKrishna April 4, 2018, 12:49 p.m. UTC 
To fetch UID info for socket diagnostics, we determine the
namespace of user context using tipc socket instance. This
may cause namespace violation, as the kernel will remap based
on UID.

We fix this by fetching namespace info using the calling userspace
netlink socket.

Fixes: c30b70deb5f4 (tipc: implement socket diagnostics for AF_TIPC)
Reported-by: syzbot+326e587eff1074657718@syzkaller.appspotmail.com
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: GhantaKrishnamurthy MohanKrishna <mohan.krishna.ghanta.krishnamurthy@ericsson.com>
---
 net/tipc/socket.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

David Miller April 4, 2018, 3:55 p.m. UTC | #1 
From: GhantaKrishnamurthy MohanKrishna <mohan.krishna.ghanta.krishnamurthy@ericsson.com>
Date: Wed, 4 Apr 2018 14:49:47 +0200

> To fetch UID info for socket diagnostics, we determine the
> namespace of user context using tipc socket instance. This
> may cause namespace violation, as the kernel will remap based
> on UID.
> 
> We fix this by fetching namespace info using the calling userspace
> netlink socket.
> 
> Fixes: c30b70deb5f4 (tipc: implement socket diagnostics for AF_TIPC)
> Reported-by: syzbot+326e587eff1074657718@syzkaller.appspotmail.com
> Acked-by: Jon Maloy <jon.maloy@ericsson.com>
> Signed-off-by: GhantaKrishnamurthy MohanKrishna <mohan.krishna.ghanta.krishnamurthy@ericsson.com>

Applied, thank you.
diff mbox series

Patch

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 3e5eba30865e..cee6674a3bf4 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -3280,7 +3280,8 @@  int tipc_sk_fill_sock_diag(struct sk_buff *skb, struct tipc_sock *tsk,
 	    nla_put_u32(skb, TIPC_NLA_SOCK_TIPC_STATE, (u32)sk->sk_state) ||
 	    nla_put_u32(skb, TIPC_NLA_SOCK_INO, sock_i_ino(sk)) ||
 	    nla_put_u32(skb, TIPC_NLA_SOCK_UID,
-			from_kuid_munged(sk_user_ns(sk), sock_i_uid(sk))) ||
+			from_kuid_munged(sk_user_ns(NETLINK_CB(skb).sk),
+					 sock_i_uid(sk))) ||
 	    nla_put_u64_64bit(skb, TIPC_NLA_SOCK_COOKIE,
 			      tipc_diag_gen_cookie(sk),
 			      TIPC_NLA_SOCK_PAD))