author | Hanjie Lin <hanjie.lin@amlogic.com> | 2019-08-14 10:42:54 (GMT) |
---|---|---|
committer | Jianxin Pan <jianxin.pan@amlogic.com> | 2019-09-18 06:19:19 (GMT) |
commit | 27a1861d284a8598529011f7ac4d993ac48fe728 (patch) | |
tree | ec79740279824f1e6a3c03edb9fa86088a9e7b5c | |
parent | 64bdf85493769b57ee705648f6d26afd703ed0dc (diff) | |
download | common-27a1861d284a8598529011f7ac4d993ac48fe728.zip common-27a1861d284a8598529011f7ac4d993ac48fe728.tar.gz common-27a1861d284a8598529011f7ac4d993ac48fe728.tar.bz2 |
RAVENPLAT 2381:OSS vulnerability found in [boot.img]:[linux_kernel] (CVE-2018-6555) Risk:[] [1/1]
PD#OTT-5671
[Problem]
The irda_setsockopt function in net/irda/af_irda.c and later in
drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17
allows local users to cause a denial of service (ias_object
use-after-free and system crash) or possibly have unspecified other
impact via an AF_IRDA socket.
[Solution]
The irda_setsockopt() function conditionally allocates memory for a new
self->ias_object or, in some cases, reuses the existing
self->ias_object. Existing objects were incorrectly reinserted into the
LM_IAS database which corrupted the doubly linked list used for the
hashbin implementation of the LM_IAS database. When combined with a
memory leak in irda_bind(), this issue could be leveraged to create a
use-after-free vulnerability in the hashbin list. This patch fixes the
issue by only inserting newly allocated objects into the database.
[Test]
Change-Id: Idbdc870be0064e331969b39a7b6e447c16a9073a
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
-rw-r--r-- | net/irda/af_irda.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c index 101ed6c..4497d78 100644 --- a/net/irda/af_irda.c +++ b/net/irda/af_irda.c @@ -2016,7 +2016,11 @@ static int irda_setsockopt(struct socket *sock, int level, int optname, err = -EINVAL; goto out; } - irias_insert_object(ias_obj); + + /* Only insert newly allocated objects */ + if (free_ias) + irias_insert_object(ias_obj); + kfree(ias_opt); break; case IRLMP_IAS_DEL: |