Seems that an unauthorized user can send file through sockets due to
the following missing check errors.
There is not security_file_permission() check from sys_splice(),
which can invoke sock_sendpage(). The call chain is as follows.
sys_splice -> do_splice -> do_splice_from -> generic_splice_sendpage
(via function pointer out->f_op->splice_write, which is set up in net/
socket.c) -> pipe_to_sendpage -> sock_sendpage ( via file->f_op-
>sendpage, in net/socket.c)
I believe sock_sendpage() needs to be protected by
security_file_permission() for two reasons. First, in the following
path it is protected.
sys_sendfile -> do_sendfile -> file_send_actor -> sock_sendpage
Second, if it is not protected, then unauthorized user can send file
through sockets. Adding the check in do_splice_from() should solve
the problem.
Similar problems exit in do_splice_to() and probably in sys_vmspliace
() too.
Thanks,
Lin
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
