BACKPORT: Smack: type confusion in smak sendmsg() handler

Smack security handler for sendmsg() syscall
is vulnerable to type confusion issue what
can allow to privilege escalation into root
or cause denial of service.

A malicious attacker can create socket of one
type for example AF_UNIX and pass is into
sendmsg() function ensuring that this is
AF_INET socket.

Remedy
Do not trust user supplied data.
Proposed fix below.

Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Signed-off-by: Mateusz Fruba <m.fruba@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
(cherry-picked from upstream 81bd0d56298f93af6ac233d8a7e8b29aa4b094b7)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index c175e9cd613be297f9ed48c22c0c0e185914bda7..93440d01003a9dcabaeb12c31c3974d73d1697ba 100644 (file)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3784,7 +3784,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
        if (sip == NULL)
                return 0;
 
-       switch (sip->sin_family) {
+       switch (sock->sk->sk_family) {
        case AF_INET:
                rc = smack_netlabel_send(sock->sk, sip);
                break;