Smack: type confusion in smak sendmsg() handler

Smack security handler for sendmsg() syscall
is vulnerable to type confusion issue what
can allow to privilege escalation into root
or cause denial of service.

A malicious attacker can create socket of one
type for example AF_UNIX and pass is into
sendmsg() function ensuring that this is
AF_INET socket.

Remedy
Do not trust user supplied data.
Proposed fix below.

* Re-apply for tizen_linux_4.4

Change-Id: I7a51a3d239a447b46f24a02c21b025ed97886789
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Signed-off-by: Mateusz Fruba <m.fruba@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index bd249cf318b35e6d8025e5c936123cc8934f1ed2..4213de5b50147bd6e054acebcade6be53e593183 100644 (file)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3778,7 +3778,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
        if (sip == NULL)
                return 0;
 
-       switch (sip->sin_family) {
+       switch (sock->sk->sk_family) {
        case AF_INET:
                rc = smack_netlabel_send(sock->sk, sip);
                break;