From 50e9e90dbdf59b5439a4a8d180f89283fec5f700 Mon Sep 17 00:00:00 2001
From: Roman Kubiak <r.kubiak@samsung.com>
Date: Thu, 17 Dec 2015 13:24:35 +0100
Subject: [PATCH] Smack: type confusion in smak sendmsg() handler

Smack security handler for sendmsg() syscall
is vulnerable to type confusion issue what
can allow to privilege escalation into root
or cause denial of service.

A malicious attacker can create socket of one
type for example AF_UNIX and pass is into
sendmsg() function ensuring that this is
AF_INET socket.

Remedy
Do not trust user supplied data.
Proposed fix below.

Change-Id: I6d8b3a3eb9560c0e6d6bfef59e56d6ec659e2d3d
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Signed-off-by: Mateusz Fruba <m.fruba@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
[Backport from linux-next of v4.5-rc]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
(cherry picked from commit 1b2b4d7c1b75ba28133e76296f7ff2d5c7e51d07)
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
---
 security/smack/smack_lsm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 61291e543ca1..3a927fd5ec60 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3447,7 +3447,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
 	if (sip == NULL)
 		return 0;
 
-	switch (sip->sin_family) {
+	switch (sock->sk->sk_family) {
 	case AF_INET:
 		rc = smack_netlabel_send(sock->sk, sip);
 		break;
-- 
2.34.1