|Main Archive Page > Month Archives > linux-security-module archives|
Seems that an unauthorized user can send file through sockets due to the following missing check errors.
There is not security_file_permission() check from sys_splice(),
which can invoke sock_sendpage(). The call chain is as follows.
sys_splice -> do_splice -> do_splice_from -> generic_splice_sendpage
(via function pointer out->f_op->splice_write, which is set up in net/
socket.c) -> pipe_to_sendpage -> sock_sendpage ( via file->f_op-
>sendpage, in net/socket.c)
I believe sock_sendpage() needs to be protected by security_file_permission() for two reasons. First, in the following path it is protected.
sys_sendfile -> do_sendfile -> file_send_actor -> sock_sendpage
Second, if it is not protected, then unauthorized user can send file through sockets. Adding the check in do_splice_from() should solve the problem.
Similar problems exit in do_splice_to() and probably in sys_vmspliace () too.
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to firstname.lastname@example.org More majordomo info at http://vger.kernel.org/majordomo-info.html