summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorRoman Kubiak <r.kubiak@samsung.com>2015-12-17 13:24:35 +0100
committerSeung-Woo Kim <sw0312.kim@samsung.com>2016-12-14 13:49:01 +0900
commit76c12f42e0bd07c5538d4093189c6a037cba670a (patch)
tree1b384a8df880f520e350ae66c84c4f96161a451e /security
parentdd8c6523129d08ad7040316975445faeac68596c (diff)
Smack: type confusion in smak sendmsg() handler
Smack security handler for sendmsg() syscall is vulnerable to type confusion issue what can allow to privilege escalation into root or cause denial of service. A malicious attacker can create socket of one type for example AF_UNIX and pass is into sendmsg() function ensuring that this is AF_INET socket. Remedy Do not trust user supplied data. Proposed fix below. Signed-off-by: Roman Kubiak <r.kubiak@samsung.com> Signed-off-by: Mateusz Fruba <m.fruba@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security')
-rw-r--r--security/smack/smack_lsm.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index cb6aff38323a..d53fd8acae74 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3767,7 +3767,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
if (sip == NULL)
return 0;
- switch (sip->sin_family) {
+ switch (sock->sk->sk_family) {
case AF_INET:
rc = smack_netlabel_send(sock->sk, sip);
break;