From nobody Sat Feb 7 18:20:11 2026 Received: from mail-qt1-f178.google.com (mail-qt1-f178.google.com [209.85.160.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5CA701DF271 for ; Fri, 23 Jan 2026 09:14:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769159686; cv=none; b=lSiaKhQrFteqRJFmDtk1jRQl9N0Uz+Qi3LQPeuWtGk4fyHb8mVVJyBMZ3lpC7p0xqtkwelY7ynDUMPyHsS95ka4/tCNQgeyRM1mqXjlI0SgWp+tYGU8TyolFCaar51T8EQWEhJiQRa3CtZ/uNW/687Q8ivwJjcv9UzK5D1d/tV0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769159686; c=relaxed/simple; bh=cjQOg4C2o7wgseI4T2MXCesmRs7FWxyO4kIQ2YIO1QU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=mXZvIVuv9HrN0pf09T+KeTXIqz9hgZvV5OYHg1FTYWspqb2K9tawSKPCqazX5N94WN8mjE9oSlH7DFvjXyVicxtWs7ZcyKUpww7YQUnrHG4XOHY2WGsIr2gPG5YSokBRco319B65jKikbQqQZhrq3RuH385zRz5BJI12uVB73UY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Hk3SZ3q5; arc=none smtp.client-ip=209.85.160.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Hk3SZ3q5" Received: by mail-qt1-f178.google.com with SMTP id d75a77b69052e-5014b7de222so25724211cf.0 for ; Fri, 23 Jan 2026 01:14:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769159684; x=1769764484; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=VM0ACAz3JWhvPAFTH54SdYRNt7hzUR2mksXU4gkAt4k=; b=Hk3SZ3q5vlXjQc+0lYNKFQboIGmVhnJ14C5mUOcrhBT2hVY3lSv3wQ9zzuZeOJPAw8 eb8fP231V6Nt56p3pG7i+s5eQjb1FkMds6RbtepgCv1cbp86b78OmNqiUpu01bW0Gpel Nm0j6iSgkcaNPGPI0qQC3TSHtORIHablWZyD3W9gPB+eAbEi/jRIZsDNldioECJlWFIF DQcRDkUvNG4qgKV1I9MaOrrogGZoa5hFzsw0cKB4g0MLJqGb+v1TKG2NWzNk+3mYXyE1 +RMs+j34/zAq/mbC2ocZx067m3V/CefoRzO6TRuVxtZGoMeX9lGmXspX/eXH8O/aslsJ 1eWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769159684; x=1769764484; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=VM0ACAz3JWhvPAFTH54SdYRNt7hzUR2mksXU4gkAt4k=; b=Jj5hy2AE0BJyBqbIVkyBYNoLspkaRHTmUEGlePpdapb9mqgnSFF9ku+elXsfKvJpX7 FYdPwG0NeMnG7dqkdZs6m777jD3T50FcizCESZKnbbTlEWRzeEQWtUs74+ymepkHebPs 2aVM2EICF670XZo/lyzmUSBdRQ0ux90mEJ6NkxyXc7ixCmSi/cv0VCK252v81PKVGm2D BdvrMbajY/oDAexxaf57TQdMeNLjURJ5UXrRLfDhg4iQYummNrNkXQws072L6nyIsxdc TaR+na2L+F6iYr0HnVBtN1dQ5LEqV9D3hJFACuniwgdUVA2CB1VL2vU3H6wn9wwV3+Zc vBxA== X-Forwarded-Encrypted: i=1; AJvYcCV/XqFgddiDeW3K9Btgtw+p9xtdN3QsJwtoIofGnwjUZPUc02UjZtxjJeFzImA3dU09mJhf+aE/m4dp8lY=@vger.kernel.org X-Gm-Message-State: AOJu0YzMKLxsp6aCVyJ08Pu/7phOTW3B1aBtgCltP6BduTS1IW1wCXMl MbEg8DT7pNTys/L+ymBD1p/bQzfLfx8GaxzWGitunjwlV7rvI7Vh25fhZjSkFA== X-Gm-Gg: AZuq6aI+JHoY8oETdnyVJZBI+IYwyxC7sJ5n13pSFzY09tPVT/4gQdDa9zDrteIhDMZ Ng7KngWxjl5c1F8S3vxno6aN5puxDFXWOKnIp3zWtoT113kLzCT/KOc5NjpbVNFDaKlBj8BvhlQ FFlWHA++TgokS+UxrB62Ee+cmDLa9W39tSjR01lV0sFRD8NSD9P6f/Iab2qCrPhwcb/FWK8RWII rbVI9A42d0D+CuNtOIf/mLOHjtNsDywC2abg4YumtTHaqNeRfEq25/04AYG3aQwe9lWkc0YJPWa pOD1+BoKymDpOY6yyx8HNPLtnSEcS+3UnmXRyAivyk7xPrVRC/EZtBJFFy2kVLqOnYHWQ460It5 aGxMJoDsAaHpBTh0QOKcHbGEM1YmvvHIq173XJxkFCYTEWgvx1NK3awJ5IHJaBmcKEx2pGZ0/o8 oQMhyBRDGj6RL3XX4= X-Received: by 2002:a05:6a20:a128:b0:38e:5535:bb4a with SMTP id adf61e73a8af0-38e6f6aa952mr2246172637.11.1769152609898; Thu, 22 Jan 2026 23:16:49 -0800 (PST) Received: from fedora ([49.200.119.166]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c635a424cf9sm1149029a12.28.2026.01.22.23.16.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Jan 2026 23:16:49 -0800 (PST) From: Suchit Karunakaran To: davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: horms@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Suchit Karunakaran Subject: [PATCH] ipv4: ipmr: add socket type checks to ipmr_ioctl() Date: Fri, 23 Jan 2026 12:46:35 +0530 Message-ID: <20260123071635.16976-1-suchitkarunakaran@gmail.com> X-Mailer: git-send-email 2.52.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This is the IPv4 counterpart to commit ("ipv6: ip6mr: add socket type checks to ip6mr_ioctl()") [1]. Similar to the IPv6 issue, ipmr_ioctl() and ipmr_compat_ioctl() access raw_sk(sk)->ipmr_table without first verifying that the socket is a raw socket with IPPROTO_IGMP protocol. This allows a permission bypass where a user with CAP_NET_RAW can create a non-IGMP raw socket (e.g., IPPROTO_UDP, IPPROTO_TCP, or any other protocol) and use SIOCGETVIFCNT or SIOCGETSGCNT ioctls to query IPv4 multicast routing statistics. This bypasses the access control that restricts mroute operations to IGMP sockets only. Add socket type and protocol checks at the beginning of both ipmr_ioctl() and ipmr_compat_ioctl() to ensure only IGMP raw sockets can access multicast routing ioctls. Signed-off-by: Suchit Karunakaran [1] https://lore.kernel.org/all/20260123011444.2044-2-qikeyu2017@gmail.com/ --- net/ipv4/ipmr.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c index ca9eaee4c2ef..eae03a1b8f66 100644 --- a/net/ipv4/ipmr.c +++ b/net/ipv4/ipmr.c @@ -1643,6 +1643,10 @@ int ipmr_ioctl(struct sock *sk, int cmd, void *arg) struct sioc_sg_req *sr; struct mr_table *mrt; =20 + if (sk->sk_type !=3D SOCK_RAW || + inet_sk(sk)->inet_num !=3D IPPROTO_IGMP) + return -EOPNOTSUPP; + mrt =3D ipmr_get_table(net, raw_sk(sk)->ipmr_table ? : RT_TABLE_DEFAULT); if (!mrt) return -ENOENT; @@ -1711,6 +1715,10 @@ int ipmr_compat_ioctl(struct sock *sk, unsigned int = cmd, void __user *arg) struct net *net =3D sock_net(sk); struct mr_table *mrt; =20 + if (sk->sk_type !=3D SOCK_RAW || + inet_sk(sk)->inet_num !=3D IPPROTO_IGMP) + return -EOPNOTSUPP; + mrt =3D ipmr_get_table(net, raw_sk(sk)->ipmr_table ? : RT_TABLE_DEFAULT); if (!mrt) return -ENOENT; --=20 2.52.0