On 12/17/2015 4:24 AM, Roman Kubiak wrote:
> Please note that this problem was not found by me but by Mateusz Fruba
> and he takes full credit for all the below details, the patch has been
> submitted by me due to corporate rules, all questions/issues etc. can be
> submitted here and I will forward them to Mateusz if needed.
>
> --- cut here for patch
> Smack security handler for sendmsg() syscall
> is vulnerable to type confusion issue what
> can allow to privilege escalation into root
> or cause denial of service.
>
> A malicious attacker can create socket of one
> type for example AF_UNIX and pass is into
> sendmsg() function ensuring that this is
> AF_INET socket.
>
> Remedy
> Do not trust user supplied data.
> Proposed fix below.
>
> Signed-off-by: Roman Kubiak <r.kub...@samsung.com>
> Signed-off-by: Mateusz Fruba <m.fr...@samsung.com>
Acked-by: Casey Schaufler <ca...@schaufler-ca.com>
> ---
> security/smack/smack_lsm.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index ff81026..9258a52 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -3758,7 +3758,7 @@ static int smack_socket_sendmsg(struct socket *sock,
> struct msghdr *msg,
> if (sip == NULL)
> return 0;
>
> - switch (sip->sin_family) {
> + switch (sock->sk->sk_family) {
> case AF_INET:
> rc = smack_netlabel_send(sock->sk, sip);
> break;
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
