From patchwork Tue Apr 30 20:59:04 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 240694 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 170402C009C for ; Wed, 1 May 2013 07:01:44 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1UXHg9-0002ve-IH; Tue, 30 Apr 2013 21:01:37 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1UXHeC-0002NE-2t for kernel-team@lists.ubuntu.com; Tue, 30 Apr 2013 20:59:36 +0000 Received: from 66-192-7-242.static.twtelecom.net ([66.192.7.242] helo=canonical.com) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1UXHeB-0000iW-F3 for kernel-team@lists.ubuntu.com; Tue, 30 Apr 2013 20:59:36 +0000 From: John Johansen To: kernel-team@lists.ubuntu.com Subject: [PATCH 4/5] net: fix incorrect credentials passing (CVE-2013-1979) Date: Tue, 30 Apr 2013 13:59:04 -0700 Message-Id: <1367355545-10432-5-git-send-email-john.johansen@canonical.com> X-Mailer: git-send-email 1.8.1.2 In-Reply-To: <1367355545-10432-1-git-send-email-john.johansen@canonical.com> References: <1367355545-10432-1-git-send-email-john.johansen@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Linus Torvalds Commit 257b5358b32f ("scm: Capture the full credentials of the scm sender") changed the credentials passing code to pass in the effective uid/gid instead of the real uid/gid. Obviously this doesn't matter most of the time (since normally they are the same), but it results in differences for suid binaries when the wrong uid/gid ends up being used. This just undoes that (presumably unintentional) part of the commit. Reported-by: Andy Lutomirski Cc: Eric W. Biederman Cc: Serge E. Hallyn Cc: David S. Miller Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Acked-by: "Eric W. Biederman" Signed-off-by: David S. Miller (cherry picked from commit 83f1b4ba917db5dc5a061a44b3403ddb6e783494) CVE-2013-1979 BugLink: https://launchpad.net/bugs/1174827 Signed-off-by: John Johansen --- include/net/scm.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/net/scm.h b/include/net/scm.h index 975cca0..b117081 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -56,8 +56,8 @@ static __inline__ void scm_set_cred(struct scm_cookie *scm, scm->pid = get_pid(pid); scm->cred = cred ? get_cred(cred) : NULL; scm->creds.pid = pid_vnr(pid); - scm->creds.uid = cred ? cred->euid : INVALID_UID; - scm->creds.gid = cred ? cred->egid : INVALID_GID; + scm->creds.uid = cred ? cred->uid : INVALID_UID; + scm->creds.gid = cred ? cred->gid : INVALID_GID; } static __inline__ void scm_destroy_cred(struct scm_cookie *scm)