[Bug 234722] [patch] [linux] getsockopt(SOL_SOCKET, SO_PEERCRED) on a Unix socket fails silently

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Jan 7 23:16:50 UTC 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234722

            Bug ID: 234722
           Summary: [patch] [linux] getsockopt(SOL_SOCKET, SO_PEERCRED) on
                    a Unix socket fails silently
           Product: Base System
           Version: 12.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: bakaidl at gmail.com

Created attachment 200893
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=200893&action=edit
Source for reproduction and patch

When using the SO_PEERCRED getsockopt for a Unix socket from a Linux program
with the Linux compatibility layer, it returns with no error, but the resulting
struct ucred contains garbage.

To reproduce, compile the attached linux_peercred_test.c for Linux, set up a
listening Unix socket named test.sock on FreeBSD (nc -l -U test.sock or socat
UNIX-LISTEN:test.sock -) and run linux_peercred_test.
It will return something along the line of this:
[bakaid at freebsd ~]$ ./linux_peercred_test
uid: 4294965248, gid: 6, pid: 0

The cause seem to be the following:
The Linux compat layer translates the Linux getsockopt for level SOL_SOCKET
(1), optname SO_PEERCRED (17) to level SOL_SOCKET (0xffff), optname
LOCAL_PEERCRED (1), and calls kern_getsockopt (sys/kern/uipc_syscalls.c) with
these parameters (sys/compat/linux/linux_socket.c).

However, LOCAL_PEERCRED should be called with level 0, not level SOL_SOCKET, as
demonstrated (among others) by the getpeereid implementation
(lib/libc/gen/getpeereid.c).

Even worse, calling it with SOL_SOCKET will cause the getsockopt being served
as a SOL_SOCKET request (kern_getsockopt -> sogetopt (sys/kern/uipc_socket.c))
and interpreted as SO_DEBUG (1), which will return successfully, causing the
failure to be silent.

I've only tried this on FreeBSD 12.0-RELEASE r341666 GENERIC  amd64, but
looking through the relevant git history I don't see positive evidence that
this function ever worked properly.

The attached patch (compat_linux_so_peercred_fix.patch) fixes the issue, which
can be verified by running linux_peercred_test again:
[bakaid at freebsd ~]$ ./linux_peercred_test 
uid: 1001, gid: 1001, pid: 0

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list