All of lore.kernel.org
 help / color / mirror / Atom feed
* [STABLE <= 4.13][PATCH 0/2] IRDA fixes
@ 2018-09-04 15:42 Tyler Hicks
  2018-09-04 15:42 ` [PATCH 1/2] irda: Fix memory leak caused by repeated binds of irda socket Tyler Hicks
  2018-09-04 15:42 ` [PATCH 2/2] irda: Only insert new objects into the global database via setsockopt Tyler Hicks
  0 siblings, 2 replies; 4+ messages in thread
From: Tyler Hicks @ 2018-09-04 15:42 UTC (permalink / raw)
  To: stable

Hello - Two issues were reported to Ubuntu in the IRDA subsystem. IRDA is no
longer present in the upstream kernel as of 4.17 but the stable tree is
affected.

This patch set addresses the issues in 4.13 and earlier kernels.

Tyler

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH 1/2] irda: Fix memory leak caused by repeated binds of irda socket
  2018-09-04 15:42 [STABLE <= 4.13][PATCH 0/2] IRDA fixes Tyler Hicks
@ 2018-09-04 15:42 ` Tyler Hicks
  2018-09-04 15:42 ` [PATCH 2/2] irda: Only insert new objects into the global database via setsockopt Tyler Hicks
  1 sibling, 0 replies; 4+ messages in thread
From: Tyler Hicks @ 2018-09-04 15:42 UTC (permalink / raw)
  To: stable

The irda_bind() function allocates memory for self->ias_obj without
checking to see if the socket is already bound. A userspace process
could repeatedly bind the socket, have each new object added into the
LM-IAS database, and lose the reference to the old object assigned to
the socket to exhaust memory resources. This patch errors out of the
bind operation when self->ias_obj is already assigned.

CVE-2018-6554

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Stefan Bader <stefan.bader@canonical.com>
---
 net/irda/af_irda.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index 4a116d766c15..82e632b2c5a1 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -774,6 +774,13 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 		return -EINVAL;
 
 	lock_sock(sk);
+
+	/* Ensure that the socket is not already bound */
+	if (self->ias_obj) {
+		err = -EINVAL;
+		goto out;
+	}
+
 #ifdef CONFIG_IRDA_ULTRA
 	/* Special care for Ultra sockets */
 	if ((sk->sk_type == SOCK_DGRAM) &&
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH 2/2] irda: Only insert new objects into the global database via setsockopt
  2018-09-04 15:42 [STABLE <= 4.13][PATCH 0/2] IRDA fixes Tyler Hicks
  2018-09-04 15:42 ` [PATCH 1/2] irda: Fix memory leak caused by repeated binds of irda socket Tyler Hicks
@ 2018-09-04 15:42 ` Tyler Hicks
  1 sibling, 0 replies; 4+ messages in thread
From: Tyler Hicks @ 2018-09-04 15:42 UTC (permalink / raw)
  To: stable

The irda_setsockopt() function conditionally allocates memory for a new
self->ias_object or, in some cases, reuses the existing
self->ias_object. Existing objects were incorrectly reinserted into the
LM_IAS database which corrupted the doubly linked list used for the
hashbin implementation of the LM_IAS database. When combined with a
memory leak in irda_bind(), this issue could be leveraged to create a
use-after-free vulnerability in the hashbin list. This patch fixes the
issue by only inserting newly allocated objects into the database.

CVE-2018-6555

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Stefan Bader <stefan.bader@canonical.com>
---
 net/irda/af_irda.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index 82e632b2c5a1..7cc9db38e1b6 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -2027,7 +2027,11 @@ static int irda_setsockopt(struct socket *sock, int level, int optname,
 			err = -EINVAL;
 			goto out;
 		}
-		irias_insert_object(ias_obj);
+
+		/* Only insert newly allocated objects */
+		if (free_ias)
+			irias_insert_object(ias_obj);
+
 		kfree(ias_opt);
 		break;
 	case IRLMP_IAS_DEL:
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH 2/2] irda: Only insert new objects into the global database via setsockopt
  2018-09-04 15:24 [STABLE 4.14+][PATCH 0/2] IRDA fixes Tyler Hicks
@ 2018-09-04 15:24 ` Tyler Hicks
  0 siblings, 0 replies; 4+ messages in thread
From: Tyler Hicks @ 2018-09-04 15:24 UTC (permalink / raw)
  To: stable

The irda_setsockopt() function conditionally allocates memory for a new
self->ias_object or, in some cases, reuses the existing
self->ias_object. Existing objects were incorrectly reinserted into the
LM_IAS database which corrupted the doubly linked list used for the
hashbin implementation of the LM_IAS database. When combined with a
memory leak in irda_bind(), this issue could be leveraged to create a
use-after-free vulnerability in the hashbin list. This patch fixes the
issue by only inserting newly allocated objects into the database.

CVE-2018-6555

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Stefan Bader <stefan.bader@canonical.com>
---
 drivers/staging/irda/net/af_irda.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/irda/net/af_irda.c b/drivers/staging/irda/net/af_irda.c
index a08cd3dd7a6e..cebe9878ca03 100644
--- a/drivers/staging/irda/net/af_irda.c
+++ b/drivers/staging/irda/net/af_irda.c
@@ -2019,7 +2019,11 @@ static int irda_setsockopt(struct socket *sock, int level, int optname,
 			err = -EINVAL;
 			goto out;
 		}
-		irias_insert_object(ias_obj);
+
+		/* Only insert newly allocated objects */
+		if (free_ias)
+			irias_insert_object(ias_obj);
+
 		kfree(ias_opt);
 		break;
 	case IRLMP_IAS_DEL:
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-09-04 20:08 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-04 15:42 [STABLE <= 4.13][PATCH 0/2] IRDA fixes Tyler Hicks
2018-09-04 15:42 ` [PATCH 1/2] irda: Fix memory leak caused by repeated binds of irda socket Tyler Hicks
2018-09-04 15:42 ` [PATCH 2/2] irda: Only insert new objects into the global database via setsockopt Tyler Hicks
  -- strict thread matches above, loose matches on Subject: below --
2018-09-04 15:24 [STABLE 4.14+][PATCH 0/2] IRDA fixes Tyler Hicks
2018-09-04 15:24 ` [PATCH 2/2] irda: Only insert new objects into the global database via setsockopt Tyler Hicks

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.