linux-security-module November 2007 archive
Main Archive Page > Month Archives  > linux-security-module archives
linux-security-module: Missing security_file_permission() check

Missing security_file_permission() check from sys_splice()

From: Lin Tan <lintan2_at_nospam>
Date: Fri Nov 09 2007 - 05:20:49 GMT
To: linux-security-module@vger.kernel.org


Seems that an unauthorized user can send file through sockets due to the following missing check errors.

There is not security_file_permission() check from sys_splice(), which can invoke sock_sendpage(). The call chain is as follows. sys_splice -> do_splice -> do_splice_from -> generic_splice_sendpage (via function pointer out->f_op->splice_write, which is set up in net/ socket.c) -> pipe_to_sendpage -> sock_sendpage ( via file->f_op-
>sendpage, in net/socket.c)

I believe sock_sendpage() needs to be protected by security_file_permission() for two reasons. First, in the following path it is protected.

sys_sendfile -> do_sendfile -> file_send_actor -> sock_sendpage

Second, if it is not protected, then unauthorized user can send file through sockets. Adding the check in do_splice_from() should solve the problem.

Similar problems exit in do_splice_to() and probably in sys_vmspliace () too.

Thanks,
Lin

-
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html