scm: Don't use struct ucred in NETLINK_CB and struct scm_cookie.

Passing uids and gids on NETLINK_CB from a process in one user
namespace to a process in another user namespace can result in the
wrong uid or gid being presented to userspace.  Avoid that problem by
passing kuids and kgids instead.

- define struct scm_creds for use in scm_cookie and netlink_skb_parms
  that holds uid and gid information in kuid_t and kgid_t.

- Modify scm_set_cred to fill out scm_creds by heand instead of using
  cred_to_ucred to fill out struct ucred.  This conversion ensures
  userspace does not get incorrect uid or gid values to look at.

- Modify scm_recv to convert from struct scm_creds to struct ucred
  before copying credential values to userspace.

- Modify __scm_send to populate struct scm_creds on in the scm_cookie,
  instead of just copying struct ucred from userspace.

- Modify netlink_sendmsg to copy scm_creds instead of struct ucred
  into the NETLINK_CB.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

2 files changed, 12 insertions, 7 deletions

diff --git a/net/core/scm.c b/net/core/scm.c
index 6ab491d6c26f..9c1c63da3ca8 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -155,19 +155,21 @@ int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
                         break;
                 case SCM_CREDENTIALS:
                 {
+                        struct ucred creds;
                         kuid_t uid;
                         kgid_t gid;
                         if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
                                 goto error;
-                        memcpy(&p->creds, CMSG_DATA(cmsg), sizeof(struct ucred));
-                        err = scm_check_creds(&p->creds);
+                        memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
+                        err = scm_check_creds(&creds);
                         if (err)
                                 goto error;
 
-                        if (!p->pid || pid_vnr(p->pid) != p->creds.pid) {
+                        p->creds.pid = creds.pid;
+                        if (!p->pid || pid_vnr(p->pid) != creds.pid) {
                                 struct pid *pid;
                                 err = -ESRCH;
-                                pid = find_get_pid(p->creds.pid);
+                                pid = find_get_pid(creds.pid);
                                 if (!pid)
                                         goto error;
                                 put_pid(p->pid);
@@ -175,11 +177,14 @@ int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
                         }
 
                         err = -EINVAL;
-                        uid = make_kuid(current_user_ns(), p->creds.uid);
-                        gid = make_kgid(current_user_ns(), p->creds.gid);
+                        uid = make_kuid(current_user_ns(), creds.uid);
+                        gid = make_kgid(current_user_ns(), creds.gid);
                         if (!uid_valid(uid) || !gid_valid(gid))
                                 goto error;
 
+                        p->creds.uid = uid;
+                        p->creds.gid = gid;
+
                         if (!p->cred ||
                             !uid_eq(p->cred->euid, uid) ||
                             !gid_eq(p->cred->egid, gid)) {
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 382119917166..f530b1ca1773 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1399,7 +1399,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
 
         NETLINK_CB(skb).pid     = nlk->pid;
         NETLINK_CB(skb).dst_group = dst_group;
-        memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
+        NETLINK_CB(skb).creds   = siocb->scm->creds;
 
         err = -EFAULT;
         if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {