From: Greg KH <greg@kroah.com>
To: Tyler Hicks <tyhicks@canonical.com>
Cc: stable@vger.kernel.org
Subject: Re: [PATCH 1/2] irda: Fix memory leak caused by repeated binds of irda socket
Date: Thu, 13 Sep 2018 09:02:36 +0200 [thread overview]
Message-ID: <20180913070236.GD11496@kroah.com> (raw)
In-Reply-To: <22c7e6a0-6a34-cbfb-8742-6dda5da245b6@canonical.com>
On Wed, Sep 12, 2018 at 03:49:16PM -0500, Tyler Hicks wrote:
> On 09/12/2018 02:35 PM, Greg KH wrote:
> > On Tue, Sep 04, 2018 at 03:24:04PM +0000, Tyler Hicks wrote:
> >> The irda_bind() function allocates memory for self->ias_obj without
> >> checking to see if the socket is already bound. A userspace process
> >> could repeatedly bind the socket, have each new object added into the
> >> LM-IAS database, and lose the reference to the old object assigned to
> >> the socket to exhaust memory resources. This patch errors out of the
> >> bind operation when self->ias_obj is already assigned.
> >>
> >> CVE-2018-6554
> >>
> >> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> >> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
> >> Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
> >> Reviewed-by: Stefan Bader <stefan.bader@canonical.com>
> >> ---
> >
> > No "Reported-by:" lines?
>
> I always like to give credit with Reported-by tags but this was a rare
> situation where the reporter didn't want to be acknowledged.
Fair enough, I had to ask :)
> > And agin, how can you trigger any of this given the code doesn't even
> > work? Can you load irda modules as a "normal" user?
>
> I answered these questions in my other reply. The irda socket interface
> works well enough to reach the affected code.
Ok, thanks for the patches, I'll go queue them up everywhere now.
greg k-h
next prev parent reply other threads:[~2018-09-13 12:10 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-04 15:24 [STABLE 4.14+][PATCH 0/2] IRDA fixes Tyler Hicks
2018-09-04 15:24 ` [PATCH 1/2] irda: Fix memory leak caused by repeated binds of irda socket Tyler Hicks
2018-09-12 19:35 ` Greg KH
2018-09-12 20:49 ` Tyler Hicks
2018-09-13 7:02 ` Greg KH [this message]
2018-09-04 15:24 ` [PATCH 2/2] irda: Only insert new objects into the global database via setsockopt Tyler Hicks
2018-09-12 19:34 ` [STABLE 4.14+][PATCH 0/2] IRDA fixes Greg KH
2018-09-12 20:46 ` Tyler Hicks
-- strict thread matches above, loose matches on Subject: below --
2018-09-04 15:42 [STABLE <= 4.13][PATCH " Tyler Hicks
2018-09-04 15:42 ` [PATCH 1/2] irda: Fix memory leak caused by repeated binds of irda socket Tyler Hicks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180913070236.GD11496@kroah.com \
--to=greg@kroah.com \
--cc=stable@vger.kernel.org \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.