On Wed, Sep 12, 2018 at 03:49:16PM -0500, Tyler Hicks wrote:
On 09/12/2018 02:35 PM, Greg KH wrote:
On Tue, Sep 04, 2018 at 03:24:04PM +0000, Tyler Hicks wrote:
The irda_bind() function allocates memory for self->ias_obj without checking to see if the socket is already bound. A userspace process could repeatedly bind the socket, have each new object added into the LM-IAS database, and lose the reference to the old object assigned to the socket to exhaust memory resources. This patch errors out of the bind operation when self->ias_obj is already assigned.
CVE-2018-6554
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Tyler Hicks tyhicks@canonical.com Reviewed-by: Seth Arnold seth.arnold@canonical.com Reviewed-by: Stefan Bader stefan.bader@canonical.com
No "Reported-by:" lines?
I always like to give credit with Reported-by tags but this was a rare situation where the reporter didn't want to be acknowledged.
Fair enough, I had to ask :)
And agin, how can you trigger any of this given the code doesn't even work? Can you load irda modules as a "normal" user?
I answered these questions in my other reply. The irda socket interface works well enough to reach the affected code.
Ok, thanks for the patches, I'll go queue them up everywhere now.
greg k-h