From patchwork Thu Apr 17 04:41:34 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Lutomirski <luto@amacapital.net>
X-Patchwork-Id: 339776
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id B05501400A8
	for <patchwork-incoming@ozlabs.org>;
	Thu, 17 Apr 2014 14:42:33 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751454AbaDQElr (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 17 Apr 2014 00:41:47 -0400
Received: from mail-pa0-f46.google.com ([209.85.220.46]:46949 "EHLO
	mail-pa0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751178AbaDQElp (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 17 Apr 2014 00:41:45 -0400
Received: by mail-pa0-f46.google.com with SMTP id kx10so11787589pab.33
	for <netdev@vger.kernel.org>; Wed, 16 Apr 2014 21:41:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=SMw9wT5QopFr4Mn6X1yhWh0gBm0DrR/cA8pb/tnHJjQ=;
	b=O5JbMeJSCxGL1P12SqhrfKE2fMgcl1b5Ki0vr4dLau5MkMjX7PArQ565abXEGPHJs1
	BcyC/ymOHHWIXsDvpd+I/AHLKGj0J9Wwu4mkCzWEj/vq/3SMc0/WYfRuUAtv7iFHWbco
	hTi7Zx5MMuxfkVQSYTRH4XemKGRTkQ3y8Uvw1UvtvCmG3wZ3+bNdxkAAcpQGlEEkOAwe
	EZfvpjr1+W8ujTAORgCYZcwIy89XPCWgvMrqE0IoN68b4Zk37vVbR55PGl5pDwRTBtHI
	lRkFj+duI4iKhgIag5zigu6MhrCJnmr0ohxTQv0ekZu9SVcuoVMITNgO9h53JQl7pn9W
	QAUA==
X-Gm-Message-State: 
 ALoCoQkR+x/tfNC3Is8kV4Lc0Sv/5gIMRrUr2VLlxzFv+jSKUwE4yUvqo9boM4Fn2J7iIhEYuxWY
X-Received: by 10.66.221.99 with SMTP id qd3mr13204525pac.46.1397709704326;
	Wed, 16 Apr 2014 21:41:44 -0700 (PDT)
Received: from localhost ([2001:5a8:4:83c0:b591:846d:6608:ef2a])
	by mx.google.com with ESMTPSA id
	x5sm50585061pbw.26.2014.04.16.21.41.42 for <multiple recipients>
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 16 Apr 2014 21:41:43 -0700 (PDT)
From: Andy Lutomirski <luto@amacapital.net>
To: "Eric W. Biederman" <ebiederm@xmission.com>, netdev@vger.kernel.org
Cc: Andy Lutomirski <luto@amacapital.net>, stable@vger.kernel.org
Subject: [PATCH] net: Fix ns_capable check in sock_diag_put_filterinfo
Date: Wed, 16 Apr 2014 21:41:34 -0700
Message-Id: 
 <1360f6acc2064d49a41f2d993d05cdcf8a40fc06.1397709384.git.luto@amacapital.net>
X-Mailer: git-send-email 1.9.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The caller needs capabilities on the namespace being queried, not on
their own namespace.  This is a security bug, although it likely has
only a minor impact.

Cc: stable@vger.kernel.org
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---

Someone should check that I'm right.  I had trouble getting 'ss -b' to
work, even with plain old sudo.

 include/linux/sock_diag.h | 2 +-
 net/core/sock_diag.c      | 4 ++--
 net/packet/diag.c         | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
index 54f91d3..302ab80 100644
--- a/include/linux/sock_diag.h
+++ b/include/linux/sock_diag.h
@@ -23,7 +23,7 @@ int sock_diag_check_cookie(void *sk, __u32 *cookie);
 void sock_diag_save_cookie(void *sk, __u32 *cookie);
 
 int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr);
-int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
+int sock_diag_put_filterinfo(struct sock *sk,
 			     struct sk_buff *skb, int attrtype);
 
 #endif
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index a0e9cf6..6a7fae2 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -49,7 +49,7 @@ int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attrtype)
 }
 EXPORT_SYMBOL_GPL(sock_diag_put_meminfo);
 
-int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
+int sock_diag_put_filterinfo(struct sock *sk,
 			     struct sk_buff *skb, int attrtype)
 {
 	struct nlattr *attr;
@@ -57,7 +57,7 @@ int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
 	unsigned int len;
 	int err = 0;
 
-	if (!ns_capable(user_ns, CAP_NET_ADMIN)) {
+	if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
 		nla_reserve(skb, attrtype, 0);
 		return 0;
 	}
diff --git a/net/packet/diag.c b/net/packet/diag.c
index 533ce4f..435ff99 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -172,7 +172,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 		goto out_nlmsg_trim;
 
 	if ((req->pdiag_show & PACKET_SHOW_FILTER) &&
-	    sock_diag_put_filterinfo(user_ns, sk, skb, PACKET_DIAG_FILTER))
+	    sock_diag_put_filterinfo(sk, skb, PACKET_DIAG_FILTER))
 		goto out_nlmsg_trim;
 
 	return nlmsg_end(skb, nlh);