Re: CVE-2021-47285: net/nfc/rawsock.c: fix a permission check bug

From: Michal Koutný
Date: Tue Jul 02 2024 - 12:15:29 EST

Next message: Edgecombe, Rick P: "Re: [PATCH v2 4/4] kbuild: use $(src) instead of $(srctree)/$(src) for source directory"
Previous message: Shuah Khan: "Re: [PATCH v2] kunit/usercopy: Disable testing on !CONFIG_MMU"
Next in thread: Greg Kroah-Hartman: "Re: CVE-2021-47285: net/nfc/rawsock.c: fix a permission check bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

On Tue, May 21, 2024 at 04:20:39PM GMT, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> In the Linux kernel, the following vulnerability has been resolved:
>
> net/nfc/rawsock.c: fix a permission check bug
>
> The function rawsock_create() calls a privileged function sk_alloc(), which requires a ns-aware check to check net->user_ns, i.e., ns_capable(). However, the original code checks the init_user_ns using capable(). So we replace the capable() with ns_capable().
>
> The Linux kernel CVE team has assigned CVE-2021-47285 to this issue.
> ...
> https://git.kernel.org/stable/c/8ab78863e9eff11910e1ac8bcf478060c29b379e

Despite the patch changes guard related to EPERM bailout, it actually
swaps a "stronger" predicate capable() for a "weaker" ns_capable().

Without the patch, an unprivilged user is not allowed to create nfc
SOCK_RAW inside owned netns, with the patch, it's allowed.

That's a functional change but not security related. Or have I missed a
negation somewhere?

Thanks,
Michal

Attachment: signature.asc
Description: PGP signature

Next message: Edgecombe, Rick P: "Re: [PATCH v2 4/4] kbuild: use $(src) instead of $(srctree)/$(src) for source directory"
Previous message: Shuah Khan: "Re: [PATCH v2] kunit/usercopy: Disable testing on !CONFIG_MMU"
Next in thread: Greg Kroah-Hartman: "Re: CVE-2021-47285: net/nfc/rawsock.c: fix a permission check bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]