From: Eugene Teo <eugeneteo@kernel.sg>
Date: Wed, 27 Aug 2008 11:50:30 +0000 (-0700)
Subject: wan: Missing capability checks in sbni_ioctl() (CVE-2008-3525)
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=a0fd3c2997c6de7a260e8ace81568a35fbf5f771;p=linux-kernel-docs%2Flinux-2.4.36.git

wan: Missing capability checks in sbni_ioctl() (CVE-2008-3525)

[backport of 2.6 commit f2455eb176ac87081bbfc9a44b21c7cd2bc1967e]

There are missing capability checks in the following code:

1300 static int
1301 sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd)
1302 {
[...]
1319     case  SIOCDEVRESINSTATS :
1320         if( current->euid != 0 )    /* root only */
1321             return  -EPERM;
[...]
1336     case  SIOCDEVSHWSTATE :
1337         if( current->euid != 0 )    /* root only */
1338             return  -EPERM;
[...]
1357     case  SIOCDEVENSLAVE :
1358         if( current->euid != 0 )    /* root only */
1359             return  -EPERM;
[...]
1372     case  SIOCDEVEMANSIPATE :
1373         if( current->euid != 0 )    /* root only */
1374             return  -EPERM;

Here's my proposed fix:

Missing capability checks.

Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---

diff --git a/drivers/net/wan/sbni.c b/drivers/net/wan/sbni.c
index 6715e9fb..dba80cae 100644
--- a/drivers/net/wan/sbni.c
+++ b/drivers/net/wan/sbni.c
@@ -1297,7 +1297,7 @@ sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd )
 		break;
 
 	case  SIOCDEVRESINSTATS :
-		if( current->euid != 0 )	/* root only */
+		if (!capable(CAP_NET_ADMIN))	/* root only */
 			return  -EPERM;
 		memset( &nl->in_stats, 0, sizeof(struct sbni_in_stats) );
 		break;
@@ -1316,7 +1316,7 @@ sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd )
 		break;
 
 	case  SIOCDEVSHWSTATE :
-		if( current->euid != 0 )	/* root only */
+		if (!capable(CAP_NET_ADMIN))	/* root only */
 			return  -EPERM;
 
 		spin_lock( &nl->lock );
@@ -1337,7 +1337,7 @@ sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd )
 #ifdef CONFIG_SBNI_MULTILINE
 
 	case  SIOCDEVENSLAVE :
-		if( current->euid != 0 )	/* root only */
+		if (!capable(CAP_NET_ADMIN))	/* root only */
 			return  -EPERM;
 
 		if( (error = verify_area( VERIFY_READ, ifr->ifr_data,
@@ -1355,7 +1355,7 @@ sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd )
 		return  enslave( dev, slave_dev );
 
 	case  SIOCDEVEMANSIPATE :
-		if( current->euid != 0 )	/* root only */
+		if (!capable(CAP_NET_ADMIN))	/* root only */
 			return  -EPERM;
 
 		return  emancipate( dev );