On Wed, Sep 12, 2018 at 03:49:16PM -0500, Tyler Hicks wrote:
> On 09/12/2018 02:35 PM, Greg KH wrote:
> > On Tue, Sep 04, 2018 at 03:24:04PM +0000, Tyler Hicks wrote:
> >> The irda_bind() function allocates memory for self->ias_obj without
> >> checking to see if the socket is already bound. A userspace process
> >> could repeatedly bind the socket, have each new object added into the
> >> LM-IAS database, and lose the reference to the old object assigned to
> >> the socket to exhaust memory resources. This patch errors out of the
> >> bind operation when self->ias_obj is already assigned.
> >>
> >> CVE-2018-6554
> >>
> >> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> >> Signed-off-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
> >> Reviewed-by: Seth Arnold <seth.arnold@xxxxxxxxxxxxx>
> >> Reviewed-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
> >> ---
> >
> > No "Reported-by:" lines?
>
> I always like to give credit with Reported-by tags but this was a rare
> situation where the reporter didn't want to be acknowledged.
Fair enough, I had to ask :)
> > And agin, how can you trigger any of this given the code doesn't even
> > work? Can you load irda modules as a "normal" user?
>
> I answered these questions in my other reply. The irda socket interface
> works well enough to reach the affected code.
Ok, thanks for the patches, I'll go queue them up everywhere now.
greg k-h
