On 09/12/2018 02:35 PM, Greg KH wrote:
> On Tue, Sep 04, 2018 at 03:24:04PM +0000, Tyler Hicks wrote:
>> The irda_bind() function allocates memory for self->ias_obj without
>> checking to see if the socket is already bound. A userspace process
>> could repeatedly bind the socket, have each new object added into the
>> LM-IAS database, and lose the reference to the old object assigned to
>> the socket to exhaust memory resources. This patch errors out of the
>> bind operation when self->ias_obj is already assigned.
>>
>> CVE-2018-6554
>>
>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
>> Signed-off-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
>> Reviewed-by: Seth Arnold <seth.arnold@xxxxxxxxxxxxx>
>> Reviewed-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
>> ---
>
> No "Reported-by:" lines?
I always like to give credit with Reported-by tags but this was a rare
situation where the reporter didn't want to be acknowledged.
> And agin, how can you trigger any of this given the code doesn't even
> work? Can you load irda modules as a "normal" user?
I answered these questions in my other reply. The irda socket interface
works well enough to reach the affected code.
Tyler
>
> thanks,
>
> greg k-h
>
Attachment:
signature.asc
Description: OpenPGP digital signature
