Smack: type confusion in smak sendmsg() handler

Smack security handler for sendmsg() syscall is vulnerable to type confusion issue what can allow to privilege escalation into root or cause denial of service. A malicious attacker can create socket of one type for example AF_UNIX and pass is into sendmsg() function ensuring that this is AF_INET socket. Remedy Do not trust user supplied data. Proposed fix below. Signed-off-by: Roman Kubiak <r.kubiak@samsung.com> Signed-off-by: Mateusz Fruba <m.fruba@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>

Smack: type confusion in smak sendmsg() handler
Smack security handler for sendmsg() syscall is vulnerable to type confusion issue what can allow to privilege escalation into root or cause denial of service. A malicious attacker can create socket of one type for example AF_UNIX and pass is into sendmsg() function ensuring that this is AF_INET socket. Remedy Do not trust user supplied data. Proposed fix below. Signed-off-by: Roman Kubiak <r.kubiak@samsung.com> Signed-off-by: Mateusz Fruba <m.fruba@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
81bd0d56 · Roman Kubiak · Casey Schaufler · 79be0935 · 81bd0d56
Commit 81bd0d56 authored Dec 17, 2015 by Roman Kubiak Committed by Casey Schaufler Dec 17, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

security/smack/smack_lsm.c security/smack/smack_lsm.c +1 -1

No files found.
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3780,7 +3780,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
 	if (sip == NULL)
 		return 0;

-	switch (sip->sin_family) {
+	switch (sock->sk->sk_family) {
 	case AF_INET:
 		rc = smack_netlabel_send(sock->sk, sip);
 		break;