summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoman Kubiak <r.kubiak@samsung.com>2015-12-17 13:24:35 +0100
committerCasey Schaufler <casey@schaufler-ca.com>2015-12-17 10:21:56 -0800
commit81bd0d56298f93af6ac233d8a7e8b29aa4b094b7 (patch)
tree4fb0eb956481a9155e1cd9fffcd04083d3dfc601
parent79be093500791cc25cc31bcaec5a4db62e21497b (diff)
downloadop-kernel-dev-81bd0d56298f93af6ac233d8a7e8b29aa4b094b7.zip
op-kernel-dev-81bd0d56298f93af6ac233d8a7e8b29aa4b094b7.tar.gz
Smack: type confusion in smak sendmsg() handler
Smack security handler for sendmsg() syscall is vulnerable to type confusion issue what can allow to privilege escalation into root or cause denial of service. A malicious attacker can create socket of one type for example AF_UNIX and pass is into sendmsg() function ensuring that this is AF_INET socket. Remedy Do not trust user supplied data. Proposed fix below. Signed-off-by: Roman Kubiak <r.kubiak@samsung.com> Signed-off-by: Mateusz Fruba <m.fruba@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
-rw-r--r--security/smack/smack_lsm.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index b20ef06..0e77037 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3780,7 +3780,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
if (sip == NULL)
return 0;
- switch (sip->sin_family) {
+ switch (sock->sk->sk_family) {
case AF_INET:
rc = smack_netlabel_send(sock->sk, sip);
break;
OpenPOWER on IntegriCloud