tipc: Fix namespace violation in tipc_sk_fill_sock_diag

To fetch UID info for socket diagnostics, we determine the namespace of user context using tipc socket instance. This may cause namespace violation, as the kernel will remap based on UID. We fix this by fetching namespace info using the calling userspace netlink socket. Fixes: c30b70d (tipc: implement socket diagnostics for AF_TIPC) Reported-by: syzbot+326e587eff1074657718@syzkaller.appspotmail.com Acked-by: Jon Maloy <jon.maloy@ericsson.com> Signed-off-by: GhantaKrishnamurthy MohanKrishna <mohan.krishna.ghanta.krishnamurthy@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
mariux64 · Apr 4, 2018 · 4b2e687 · 4b2e687
1 parent 9e8445a
commit 4b2e687
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
@@ -3280,7 +3280,8 @@ int tipc_sk_fill_sock_diag(struct sk_buff *skb, struct tipc_sock *tsk,
 	    nla_put_u32(skb, TIPC_NLA_SOCK_TIPC_STATE, (u32)sk->sk_state) ||
 	    nla_put_u32(skb, TIPC_NLA_SOCK_INO, sock_i_ino(sk)) ||
 	    nla_put_u32(skb, TIPC_NLA_SOCK_UID,
-			from_kuid_munged(sk_user_ns(sk), sock_i_uid(sk))) ||
+			from_kuid_munged(sk_user_ns(NETLINK_CB(skb).sk),
+					 sock_i_uid(sk))) ||
 	    nla_put_u64_64bit(skb, TIPC_NLA_SOCK_COOKIE,
 			      tipc_diag_gen_cookie(sk),
 			      TIPC_NLA_SOCK_PAD))