From: Tyler Hicks <tyhicks@canonical.com>
To: stable@vger.kernel.org
Subject: [PATCH 2/2] irda: Only insert new objects into the global database via setsockopt
Date: Tue, 4 Sep 2018 15:42:59 +0000 [thread overview]
Message-ID: <1536075779-14326-3-git-send-email-tyhicks@canonical.com> (raw)
In-Reply-To: <1536075779-14326-1-git-send-email-tyhicks@canonical.com>
The irda_setsockopt() function conditionally allocates memory for a new
self->ias_object or, in some cases, reuses the existing
self->ias_object. Existing objects were incorrectly reinserted into the
LM_IAS database which corrupted the doubly linked list used for the
hashbin implementation of the LM_IAS database. When combined with a
memory leak in irda_bind(), this issue could be leveraged to create a
use-after-free vulnerability in the hashbin list. This patch fixes the
issue by only inserting newly allocated objects into the database.
CVE-2018-6555
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Stefan Bader <stefan.bader@canonical.com>
---
net/irda/af_irda.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index 82e632b2c5a1..7cc9db38e1b6 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -2027,7 +2027,11 @@ static int irda_setsockopt(struct socket *sock, int level, int optname,
err = -EINVAL;
goto out;
}
- irias_insert_object(ias_obj);
+
+ /* Only insert newly allocated objects */
+ if (free_ias)
+ irias_insert_object(ias_obj);
+
kfree(ias_opt);
break;
case IRLMP_IAS_DEL:
--
2.7.4
next prev parent reply other threads:[~2018-09-04 20:08 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-04 15:42 [STABLE <= 4.13][PATCH 0/2] IRDA fixes Tyler Hicks
2018-09-04 15:42 ` [PATCH 1/2] irda: Fix memory leak caused by repeated binds of irda socket Tyler Hicks
2018-09-04 15:42 ` Tyler Hicks [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-09-04 15:24 [STABLE 4.14+][PATCH 0/2] IRDA fixes Tyler Hicks
2018-09-04 15:24 ` [PATCH 2/2] irda: Only insert new objects into the global database via setsockopt Tyler Hicks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1536075779-14326-3-git-send-email-tyhicks@canonical.com \
--to=tyhicks@canonical.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.