tipc: Fix namespace violation in tipc_sk_fill_sock_diag

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

To fetch UID info for socket diagnostics, we determine the
namespace of user context using tipc socket instance. This
may cause namespace violation, as the kernel will remap based
on UID.

We fix this by fetching namespace info using the calling userspace
netlink socket.

Fixes: c30b70deb5f4 (tipc: implement socket diagnostics for AF_TIPC)
Reported-by: syzbot+326e587eff1074657718@syzkaller.appspotmail.com
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: GhantaKrishnamurthy MohanKrishna <mohan.krishna.ghanta.krishnamurthy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

GhantaKrishnamurthy MohanKrishna and committed by

David S. Miller 8 years ago 4b2e6877 9e8445a5

+2 -1

1 changed file

expand all

net

tipc

socket.c

+2 -1

net/tipc/socket.c

··· 3280 3280 nla_put_u32(skb, TIPC_NLA_SOCK_TIPC_STATE, (u32)sk->sk_state) || 3281 3281 nla_put_u32(skb, TIPC_NLA_SOCK_INO, sock_i_ino(sk)) || 3282 3282 nla_put_u32(skb, TIPC_NLA_SOCK_UID, 3283 - from_kuid_munged(sk_user_ns(sk), sock_i_uid(sk))) || 3283 + from_kuid_munged(sk_user_ns(NETLINK_CB(skb).sk), 3284 + sock_i_uid(sk))) || 3284 3285 nla_put_u64_64bit(skb, TIPC_NLA_SOCK_COOKIE, 3285 3286 tipc_diag_gen_cookie(sk), 3286 3287 TIPC_NLA_SOCK_PAD))