Type Confusion hardcodes tuntap socket UID to root [CVE-2023-1076]

We discussed this vulnerability during Episode 196 on 14 March 2023

A type-confusion happens in during the initialization of TUN/TAP sockets that leads to the UID being fixed to 0. The root cause of this bug is in the incorrect assumption made by sock_init_data() regarding the struct socket input. It assumes the input socket will be contained within a struct socket_alloc, however for TUN and TAP devices it will be embeded in a struct tap_queue or struct tun_file when it gets called. Eventually, when container_of is called, with socket_alloc as the parent structure, it’ll calculate an incorrect container/parent pointer.