The original patches fixing CVE-2023-1076 are incorrect in my opinion. This small series fixes them up; see the individual commit messages for explanation.
I have a very elaborate test procedure demonstrating the problem for both tun and tap; it involves libvirt, qemu, and "crash". I can share that procedure if necessary, but it's indeed quite long (I wrote it originally for our QE team).
The patches in this series are supposed to "re-fix" CVE-2023-1076; given that said CVE is classified as Low Impact (CVSSv3=5.5), I'm posting this publicly, and not suggesting any embargo. Red Hat Product Security may assign a new CVE number later.
I've tested the patches on top of v6.5-rc4, with "crash" built at commit c74f375e0ef7.
Cc: Eric Dumazet edumazet@google.com Cc: Lorenzo Colitti lorenzo@google.com Cc: Paolo Abeni pabeni@redhat.com Cc: Pietro Borrello borrello@diag.uniroma1.it Cc: netdev@vger.kernel.org Cc: stable@vger.kernel.org
Laszlo Ersek (2): net: tun_chr_open(): set sk_uid from current_fsuid() net: tap_open(): set sk_uid from current_fsuid()
drivers/net/tap.c | 2 +- drivers/net/tun.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
base-commit: 5d0c230f1de8c7515b6567d9afba1f196fb4e2f4