From 81bd0d56298f93af6ac233d8a7e8b29aa4b094b7 Mon Sep 17 00:00:00 2001 From: Roman Kubiak Date: Thu, 17 Dec 2015 13:24:35 +0100 Subject: [PATCH] Smack: type confusion in smak sendmsg() handler Smack security handler for sendmsg() syscall is vulnerable to type confusion issue what can allow to privilege escalation into root or cause denial of service. A malicious attacker can create socket of one type for example AF_UNIX and pass is into sendmsg() function ensuring that this is AF_INET socket. Remedy Do not trust user supplied data. Proposed fix below. Signed-off-by: Roman Kubiak Signed-off-by: Mateusz Fruba Acked-by: Casey Schaufler --- security/smack/smack_lsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index b20ef0602267..0e7703773a97 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3780,7 +3780,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, if (sip == NULL) return 0; - switch (sip->sin_family) { + switch (sock->sk->sk_family) { case AF_INET: rc = smack_netlabel_send(sock->sk, sip); break; -- 2.39.5