From nobody Sun Feb  8 07:52:29 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 98270C00528
	for <linux-kernel@archiver.kernel.org>; Mon, 31 Jul 2023 16:43:43 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233015AbjGaQnl (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Mon, 31 Jul 2023 12:43:41 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45972 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232445AbjGaQnj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 31 Jul 2023 12:43:39 -0400
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 204781729
        for <linux-kernel@vger.kernel.org>;
 Mon, 31 Jul 2023 09:42:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1690821769;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=3MJb09xP7TBuBVjm7iqv4BZk2hin/3r222HONq3g2yE=;
        b=c6kUf0jFoXz2ODAdmcCBxj1q8pLKk9FtuzaP9Ph48g0o8qf0jgjYjJ7UxgeVvzTFoW2e8k
        9bMoltgASE1b0dTkOepIQMtWo5R0hQmPiz/vtKBJ1Ml0x9637uMu8OZbdszW1yxSwgTNfr
        gRZ16oElXMw2mvt4o/5pneLcyn8eUyE=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-493-Z29rPmlVM0CuL2evo7T0mg-1; Mon, 31 Jul 2023 12:42:46 -0400
X-MC-Unique: Z29rPmlVM0CuL2evo7T0mg-1
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com
 [10.11.54.10])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6BD9F858EED;
        Mon, 31 Jul 2023 16:42:45 +0000 (UTC)
Received: from lacos-laptop-9.usersys.redhat.com (unknown [10.39.192.146])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 0F555401061;
        Mon, 31 Jul 2023 16:42:43 +0000 (UTC)
From: Laszlo Ersek <lersek@redhat.com>
To: linux-kernel@vger.kernel.org, lersek@redhat.com
Cc: Eric Dumazet <edumazet@google.com>,
        Lorenzo Colitti <lorenzo@google.com>,
        Paolo Abeni <pabeni@redhat.com>,
        Pietro Borrello <borrello@diag.uniroma1.it>,
        netdev@vger.kernel.org, stable@vger.kernel.org
Subject: [PATCH 1/2] net: tun_chr_open(): set sk_uid from current_fsuid()
Date: Mon, 31 Jul 2023 18:42:36 +0200
Message-Id: <20230731164237.48365-2-lersek@redhat.com>
In-Reply-To: <20230731164237.48365-1-lersek@redhat.com>
References: <20230731164237.48365-1-lersek@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

Commit a096ccca6e50 initializes the "sk_uid" field in the protocol socket
(struct sock) from the "/dev/net/tun" device node's owner UID. Per
original commit 86741ec25462 ("net: core: Add a UID field to struct
sock.", 2016-11-04), that's wrong: the idea is to cache the UID of the
userspace process that creates the socket. Commit 86741ec25462 mentions
socket() and accept(); with "tun", the action that creates the socket is
open("/dev/net/tun").

Therefore the device node's owner UID is irrelevant. In most cases,
"/dev/net/tun" will be owned by root, so in practice, commit a096ccca6e50
has no observable effect:

- before, "sk_uid" would be zero, due to undefined behavior
  (CVE-2023-1076),

- after, "sk_uid" would be zero, due to "/dev/net/tun" being owned by root.

What matters is the (fs)UID of the process performing the open(), so cache
that in "sk_uid".

Cc: Eric Dumazet <edumazet@google.com>
Cc: Lorenzo Colitti <lorenzo@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Pietro Borrello <borrello@diag.uniroma1.it>
Cc: netdev@vger.kernel.org
Cc: stable@vger.kernel.org
Fixes: a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid")
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=3D2173435
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 drivers/net/tun.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index d75456adc62a..25f0191df00b 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -3469,7 +3469,7 @@ static int tun_chr_open(struct inode *inode, struct f=
ile * file)
 	tfile->socket.file =3D file;
 	tfile->socket.ops =3D &tun_socket_ops;
=20
-	sock_init_data_uid(&tfile->socket, &tfile->sk, inode->i_uid);
+	sock_init_data_uid(&tfile->socket, &tfile->sk, current_fsuid());
=20
 	tfile->sk.sk_write_space =3D tun_sock_write_space;
 	tfile->sk.sk_sndbuf =3D INT_MAX;

From nobody Sun Feb  8 07:52:29 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1C7E3C04E69
	for <linux-kernel@archiver.kernel.org>; Mon, 31 Jul 2023 16:43:54 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233492AbjGaQnw (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Mon, 31 Jul 2023 12:43:52 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45996 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233296AbjGaQno (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 31 Jul 2023 12:43:44 -0400
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 122C6A6
        for <linux-kernel@vger.kernel.org>;
 Mon, 31 Jul 2023 09:42:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1690821771;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=hIrzg23zm5bnaFzI5icqMbN8fi6qCvhn7sNqGYL6Vo0=;
        b=VCSaIEAu0vtP6AfgExRVWoD8NAAQqr2ZAnjkkFAEoq8jgtNmC0mykyw4VcHB4hlG2i1yBc
        WxxXAdbas7uWV6bNgyKAcWoFqAjyS8X7UVpHFUJUrZ2EfZ+uCXDlphNjMx6C394daUJKIu
        reX3FF8ZAvaXMuVkjgkLCx9KRXzMvGE=
Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-281-qnMNdh9GOoaMfomT5lE-dQ-1; Mon, 31 Jul 2023 12:42:48 -0400
X-MC-Unique: qnMNdh9GOoaMfomT5lE-dQ-1
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com
 [10.11.54.10])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1450638210A0;
        Mon, 31 Jul 2023 16:42:47 +0000 (UTC)
Received: from lacos-laptop-9.usersys.redhat.com (unknown [10.39.192.146])
        by smtp.corp.redhat.com (Postfix) with ESMTP id ABAD9401DA9;
        Mon, 31 Jul 2023 16:42:45 +0000 (UTC)
From: Laszlo Ersek <lersek@redhat.com>
To: linux-kernel@vger.kernel.org, lersek@redhat.com
Cc: Eric Dumazet <edumazet@google.com>,
        Lorenzo Colitti <lorenzo@google.com>,
        Paolo Abeni <pabeni@redhat.com>,
        Pietro Borrello <borrello@diag.uniroma1.it>,
        netdev@vger.kernel.org, stable@vger.kernel.org
Subject: [PATCH 2/2] net: tap_open(): set sk_uid from current_fsuid()
Date: Mon, 31 Jul 2023 18:42:37 +0200
Message-Id: <20230731164237.48365-3-lersek@redhat.com>
In-Reply-To: <20230731164237.48365-1-lersek@redhat.com>
References: <20230731164237.48365-1-lersek@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

Commit 66b2c338adce initializes the "sk_uid" field in the protocol socket
(struct sock) from the "/dev/tapX" device node's owner UID. Per original
commit 86741ec25462 ("net: core: Add a UID field to struct sock.",
2016-11-04), that's wrong: the idea is to cache the UID of the userspace
process that creates the socket. Commit 86741ec25462 mentions socket() and
accept(); with "tap", the action that creates the socket is
open("/dev/tapX").

Therefore the device node's owner UID is irrelevant. In most cases,
"/dev/tapX" will be owned by root, so in practice, commit 66b2c338adce has
no observable effect:

- before, "sk_uid" would be zero, due to undefined behavior
  (CVE-2023-1076),

- after, "sk_uid" would be zero, due to "/dev/tapX" being owned by root.

What matters is the (fs)UID of the process performing the open(), so cache
that in "sk_uid".

Cc: Eric Dumazet <edumazet@google.com>
Cc: Lorenzo Colitti <lorenzo@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Pietro Borrello <borrello@diag.uniroma1.it>
Cc: netdev@vger.kernel.org
Cc: stable@vger.kernel.org
Fixes: 66b2c338adce ("tap: tap_open(): correctly initialize socket uid")
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=3D2173435
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 drivers/net/tap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index 9137fb8c1c42..49d1d6acf95e 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -534,7 +534,7 @@ static int tap_open(struct inode *inode, struct file *f=
ile)
 	q->sock.state =3D SS_CONNECTED;
 	q->sock.file =3D file;
 	q->sock.ops =3D &tap_socket_ops;
-	sock_init_data_uid(&q->sock, &q->sk, inode->i_uid);
+	sock_init_data_uid(&q->sock, &q->sk, current_fsuid());
 	q->sk.sk_write_space =3D tap_sock_write_space;
 	q->sk.sk_destruct =3D tap_sock_destruct;
 	q->flags =3D IFF_VNET_HDR | IFF_NO_PI | IFF_TAP;