1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* scm.c - Socket level control messages processing.
3  *
4  * Author:	Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
5  *              Alignment and value checking mods by Craig Metz
6  */
7 
8 #include <linux/module.h>
9 #include <linux/signal.h>
10 #include <linux/capability.h>
11 #include <linux/errno.h>
12 #include <linux/sched.h>
13 #include <linux/sched/user.h>
14 #include <linux/mm.h>
15 #include <linux/kernel.h>
16 #include <linux/stat.h>
17 #include <linux/socket.h>
18 #include <linux/file.h>
19 #include <linux/fcntl.h>
20 #include <linux/net.h>
21 #include <linux/interrupt.h>
22 #include <linux/netdevice.h>
23 #include <linux/security.h>
24 #include <linux/pid_namespace.h>
25 #include <linux/pid.h>
26 #include <linux/nsproxy.h>
27 #include <linux/slab.h>
28 #include <linux/errqueue.h>
29 #include <linux/io_uring.h>
30 
31 #include <linux/uaccess.h>
32 
33 #include <net/protocol.h>
34 #include <linux/skbuff.h>
35 #include <net/sock.h>
36 #include <net/compat.h>
37 #include <net/scm.h>
38 #include <net/cls_cgroup.h>
39 
40 
41 /*
42  *	Only allow a user to send credentials, that they could set with
43  *	setu(g)id.
44  */
45 
scm_check_creds(struct ucred * creds)46 static __inline__ int scm_check_creds(struct ucred *creds)
47 {
48 	const struct cred *cred = current_cred();
49 	kuid_t uid = make_kuid(cred->user_ns, creds->uid);
50 	kgid_t gid = make_kgid(cred->user_ns, creds->gid);
51 
52 	if (!uid_valid(uid) || !gid_valid(gid))
53 		return -EINVAL;
54 
55 	if ((creds->pid == task_tgid_vnr(current) ||
56 	     ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
57 	    ((uid_eq(uid, cred->uid)   || uid_eq(uid, cred->euid) ||
58 	      uid_eq(uid, cred->suid)) || ns_capable(cred->user_ns, CAP_SETUID)) &&
59 	    ((gid_eq(gid, cred->gid)   || gid_eq(gid, cred->egid) ||
60 	      gid_eq(gid, cred->sgid)) || ns_capable(cred->user_ns, CAP_SETGID))) {
61 	       return 0;
62 	}
63 	return -EPERM;
64 }
65 
scm_fp_copy(struct cmsghdr * cmsg,struct scm_fp_list ** fplp)66 static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
67 {
68 	int *fdp = (int*)CMSG_DATA(cmsg);
69 	struct scm_fp_list *fpl = *fplp;
70 	struct file **fpp;
71 	int i, num;
72 
73 	num = (cmsg->cmsg_len - sizeof(struct cmsghdr))/sizeof(int);
74 
75 	if (num <= 0)
76 		return 0;
77 
78 	if (num > SCM_MAX_FD)
79 		return -EINVAL;
80 
81 	if (!fpl)
82 	{
83 		fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL_ACCOUNT);
84 		if (!fpl)
85 			return -ENOMEM;
86 		*fplp = fpl;
87 		fpl->count = 0;
88 		fpl->max = SCM_MAX_FD;
89 		fpl->user = NULL;
90 	}
91 	fpp = &fpl->fp[fpl->count];
92 
93 	if (fpl->count + num > fpl->max)
94 		return -EINVAL;
95 
96 	/*
97 	 *	Verify the descriptors and increment the usage count.
98 	 */
99 
100 	for (i=0; i< num; i++)
101 	{
102 		int fd = fdp[i];
103 		struct file *file;
104 
105 		if (fd < 0 || !(file = fget_raw(fd)))
106 			return -EBADF;
107 		/* don't allow io_uring files */
108 		if (io_uring_get_socket(file)) {
109 			fput(file);
110 			return -EINVAL;
111 		}
112 		*fpp++ = file;
113 		fpl->count++;
114 	}
115 
116 	if (!fpl->user)
117 		fpl->user = get_uid(current_user());
118 
119 	return num;
120 }
121 
__scm_destroy(struct scm_cookie * scm)122 void __scm_destroy(struct scm_cookie *scm)
123 {
124 	struct scm_fp_list *fpl = scm->fp;
125 	int i;
126 
127 	if (fpl) {
128 		scm->fp = NULL;
129 		for (i=fpl->count-1; i>=0; i--)
130 			fput(fpl->fp[i]);
131 		free_uid(fpl->user);
132 		kfree(fpl);
133 	}
134 }
135 EXPORT_SYMBOL(__scm_destroy);
136 
__scm_send(struct socket * sock,struct msghdr * msg,struct scm_cookie * p)137 int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
138 {
139 	const struct proto_ops *ops = READ_ONCE(sock->ops);
140 	struct cmsghdr *cmsg;
141 	int err;
142 
143 	for_each_cmsghdr(cmsg, msg) {
144 		err = -EINVAL;
145 
146 		/* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
147 		/* The first check was omitted in <= 2.2.5. The reasoning was
148 		   that parser checks cmsg_len in any case, so that
149 		   additional check would be work duplication.
150 		   But if cmsg_level is not SOL_SOCKET, we do not check
151 		   for too short ancillary data object at all! Oops.
152 		   OK, let's add it...
153 		 */
154 		if (!CMSG_OK(msg, cmsg))
155 			goto error;
156 
157 		if (cmsg->cmsg_level != SOL_SOCKET)
158 			continue;
159 
160 		switch (cmsg->cmsg_type)
161 		{
162 		case SCM_RIGHTS:
163 			if (!ops || ops->family != PF_UNIX)
164 				goto error;
165 			err=scm_fp_copy(cmsg, &p->fp);
166 			if (err<0)
167 				goto error;
168 			break;
169 		case SCM_CREDENTIALS:
170 		{
171 			struct ucred creds;
172 			kuid_t uid;
173 			kgid_t gid;
174 			if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
175 				goto error;
176 			memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
177 			err = scm_check_creds(&creds);
178 			if (err)
179 				goto error;
180 
181 			p->creds.pid = creds.pid;
182 			if (!p->pid || pid_vnr(p->pid) != creds.pid) {
183 				struct pid *pid;
184 				err = -ESRCH;
185 				pid = find_get_pid(creds.pid);
186 				if (!pid)
187 					goto error;
188 				put_pid(p->pid);
189 				p->pid = pid;
190 			}
191 
192 			err = -EINVAL;
193 			uid = make_kuid(current_user_ns(), creds.uid);
194 			gid = make_kgid(current_user_ns(), creds.gid);
195 			if (!uid_valid(uid) || !gid_valid(gid))
196 				goto error;
197 
198 			p->creds.uid = uid;
199 			p->creds.gid = gid;
200 			break;
201 		}
202 		default:
203 			goto error;
204 		}
205 	}
206 
207 	if (p->fp && !p->fp->count)
208 	{
209 		kfree(p->fp);
210 		p->fp = NULL;
211 	}
212 	return 0;
213 
214 error:
215 	scm_destroy(p);
216 	return err;
217 }
218 EXPORT_SYMBOL(__scm_send);
219 
put_cmsg(struct msghdr * msg,int level,int type,int len,void * data)220 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
221 {
222 	int cmlen = CMSG_LEN(len);
223 
224 	if (msg->msg_flags & MSG_CMSG_COMPAT)
225 		return put_cmsg_compat(msg, level, type, len, data);
226 
227 	if (!msg->msg_control || msg->msg_controllen < sizeof(struct cmsghdr)) {
228 		msg->msg_flags |= MSG_CTRUNC;
229 		return 0; /* XXX: return error? check spec. */
230 	}
231 	if (msg->msg_controllen < cmlen) {
232 		msg->msg_flags |= MSG_CTRUNC;
233 		cmlen = msg->msg_controllen;
234 	}
235 
236 	if (msg->msg_control_is_user) {
237 		struct cmsghdr __user *cm = msg->msg_control_user;
238 
239 		check_object_size(data, cmlen - sizeof(*cm), true);
240 
241 		if (!user_write_access_begin(cm, cmlen))
242 			goto efault;
243 
244 		unsafe_put_user(cmlen, &cm->cmsg_len, efault_end);
245 		unsafe_put_user(level, &cm->cmsg_level, efault_end);
246 		unsafe_put_user(type, &cm->cmsg_type, efault_end);
247 		unsafe_copy_to_user(CMSG_USER_DATA(cm), data,
248 				    cmlen - sizeof(*cm), efault_end);
249 		user_write_access_end();
250 	} else {
251 		struct cmsghdr *cm = msg->msg_control;
252 
253 		cm->cmsg_level = level;
254 		cm->cmsg_type = type;
255 		cm->cmsg_len = cmlen;
256 		memcpy(CMSG_DATA(cm), data, cmlen - sizeof(*cm));
257 	}
258 
259 	cmlen = min(CMSG_SPACE(len), msg->msg_controllen);
260 	if (msg->msg_control_is_user)
261 		msg->msg_control_user += cmlen;
262 	else
263 		msg->msg_control += cmlen;
264 	msg->msg_controllen -= cmlen;
265 	return 0;
266 
267 efault_end:
268 	user_write_access_end();
269 efault:
270 	return -EFAULT;
271 }
272 EXPORT_SYMBOL(put_cmsg);
273 
put_cmsg_scm_timestamping64(struct msghdr * msg,struct scm_timestamping_internal * tss_internal)274 void put_cmsg_scm_timestamping64(struct msghdr *msg, struct scm_timestamping_internal *tss_internal)
275 {
276 	struct scm_timestamping64 tss;
277 	int i;
278 
279 	for (i = 0; i < ARRAY_SIZE(tss.ts); i++) {
280 		tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
281 		tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
282 	}
283 
284 	put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_NEW, sizeof(tss), &tss);
285 }
286 EXPORT_SYMBOL(put_cmsg_scm_timestamping64);
287 
put_cmsg_scm_timestamping(struct msghdr * msg,struct scm_timestamping_internal * tss_internal)288 void put_cmsg_scm_timestamping(struct msghdr *msg, struct scm_timestamping_internal *tss_internal)
289 {
290 	struct scm_timestamping tss;
291 	int i;
292 
293 	for (i = 0; i < ARRAY_SIZE(tss.ts); i++) {
294 		tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
295 		tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
296 	}
297 
298 	put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_OLD, sizeof(tss), &tss);
299 }
300 EXPORT_SYMBOL(put_cmsg_scm_timestamping);
301 
scm_max_fds(struct msghdr * msg)302 static int scm_max_fds(struct msghdr *msg)
303 {
304 	if (msg->msg_controllen <= sizeof(struct cmsghdr))
305 		return 0;
306 	return (msg->msg_controllen - sizeof(struct cmsghdr)) / sizeof(int);
307 }
308 
scm_detach_fds(struct msghdr * msg,struct scm_cookie * scm)309 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
310 {
311 	struct cmsghdr __user *cm =
312 		(__force struct cmsghdr __user *)msg->msg_control_user;
313 	unsigned int o_flags = (msg->msg_flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0;
314 	int fdmax = min_t(int, scm_max_fds(msg), scm->fp->count);
315 	int __user *cmsg_data = CMSG_USER_DATA(cm);
316 	int err = 0, i;
317 
318 	/* no use for FD passing from kernel space callers */
319 	if (WARN_ON_ONCE(!msg->msg_control_is_user))
320 		return;
321 
322 	if (msg->msg_flags & MSG_CMSG_COMPAT) {
323 		scm_detach_fds_compat(msg, scm);
324 		return;
325 	}
326 
327 	for (i = 0; i < fdmax; i++) {
328 		err = receive_fd_user(scm->fp->fp[i], cmsg_data + i, o_flags);
329 		if (err < 0)
330 			break;
331 	}
332 
333 	if (i > 0) {
334 		int cmlen = CMSG_LEN(i * sizeof(int));
335 
336 		err = put_user(SOL_SOCKET, &cm->cmsg_level);
337 		if (!err)
338 			err = put_user(SCM_RIGHTS, &cm->cmsg_type);
339 		if (!err)
340 			err = put_user(cmlen, &cm->cmsg_len);
341 		if (!err) {
342 			cmlen = CMSG_SPACE(i * sizeof(int));
343 			if (msg->msg_controllen < cmlen)
344 				cmlen = msg->msg_controllen;
345 			msg->msg_control_user += cmlen;
346 			msg->msg_controllen -= cmlen;
347 		}
348 	}
349 
350 	if (i < scm->fp->count || (scm->fp->count && fdmax <= 0))
351 		msg->msg_flags |= MSG_CTRUNC;
352 
353 	/*
354 	 * All of the files that fit in the message have had their usage counts
355 	 * incremented, so we just free the list.
356 	 */
357 	__scm_destroy(scm);
358 }
359 EXPORT_SYMBOL(scm_detach_fds);
360 
scm_fp_dup(struct scm_fp_list * fpl)361 struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
362 {
363 	struct scm_fp_list *new_fpl;
364 	int i;
365 
366 	if (!fpl)
367 		return NULL;
368 
369 	new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
370 			  GFP_KERNEL_ACCOUNT);
371 	if (new_fpl) {
372 		for (i = 0; i < fpl->count; i++)
373 			get_file(fpl->fp[i]);
374 		new_fpl->max = new_fpl->count;
375 		new_fpl->user = get_uid(fpl->user);
376 	}
377 	return new_fpl;
378 }
379 EXPORT_SYMBOL(scm_fp_dup);
380