proc connector: reject unprivileged listener bumps

While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible for an unprivileged user to turn off notifications for all listeners by sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as required for a multicast bind. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Evgeniy Polyakov <zbr@ioremap.net> Cc: Matt Helsley <matthltc@us.ibm.com> Cc: stable@vger.kernel.org Acked-by: Evgeniy Polyakov <zbr@ioremap.net> Acked-by: Matt Helsley <matthltc@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>

proc connector: reject unprivileged listener bumps
While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible for an unprivileged user to turn off notifications for all listeners by sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as required for a multicast bind. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Evgeniy Polyakov <zbr@ioremap.net> Cc: Matt Helsley <matthltc@us.ibm.com> Cc: stable@vger.kernel.org Acked-by: Evgeniy Polyakov <zbr@ioremap.net> Acked-by: Matt Helsley <matthltc@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Kees Cook · David S. Miller
1 parent 114a6f8b52
Showing 1 changed file with 8 additions and 0 deletions Side-by-side Diff
drivers/connector/cn_proc.c
@@ -313,6 +313,12 @@
 	    (task_active_pid_ns(current) != &init_pid_ns))
 		return;
  
+	/* Can only change if privileged. */
+	if (!capable(CAP_NET_ADMIN)) {
+		err = EPERM;
+		goto out;
+	}
+
 	mc_op = (enum proc_cn_mcast_op *)msg->data;
 	switch (*mc_op) {
 	case PROC_CN_MCAST_LISTEN:
@@ -325,6 +331,8 @@
 		err = EINVAL;
 		break;
 	}
+
+out:
 	cn_proc_ack(err, msg->seq, msg->ack);
 }
...	...	@@ -313,6 +313,12 @@
313	313	(task_active_pid_ns(current) != &init_pid_ns))
314	314	return;
315	315
	316	+ /* Can only change if privileged. */
	317	+ if (!capable(CAP_NET_ADMIN)) {
	318	+ err = EPERM;
	319	+ goto out;
	320	+ }
	321	+
316	322	mc_op = (enum proc_cn_mcast_op *)msg->data;
317	323	switch (*mc_op) {
318	324	case PROC_CN_MCAST_LISTEN:
...	...	@@ -325,6 +331,8 @@
325	331	err = EINVAL;
326	332	break;
327	333	}
	334	+
	335	+out:
328	336	cn_proc_ack(err, msg->seq, msg->ack);
329	337	}
330	338