From: Hanjie Lin Date: Wed, 14 Aug 2019 10:42:54 +0000 (+0800) Subject: RAVENPLAT 2381:OSS vulnerability found in [boot.img]:[linux_kernel] (CVE-2018-6555... X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=27a1861d284a8598529011f7ac4d993ac48fe728;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git RAVENPLAT 2381:OSS vulnerability found in [boot.img]:[linux_kernel] (CVE-2018-6555) Risk:[] [1/1] PD#OTT-5671 [Problem] The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket. [Solution] The irda_setsockopt() function conditionally allocates memory for a new self->ias_object or, in some cases, reuses the existing self->ias_object. Existing objects were incorrectly reinserted into the LM_IAS database which corrupted the doubly linked list used for the hashbin implementation of the LM_IAS database. When combined with a memory leak in irda_bind(), this issue could be leveraged to create a use-after-free vulnerability in the hashbin list. This patch fixes the issue by only inserting newly allocated objects into the database. [Test] Change-Id: Idbdc870be0064e331969b39a7b6e447c16a9073a Signed-off-by: Hanjie Lin --- diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c index 101ed6c42808..4497d78281e0 100644 --- a/net/irda/af_irda.c +++ b/net/irda/af_irda.c @@ -2016,7 +2016,11 @@ static int irda_setsockopt(struct socket *sock, int level, int optname, err = -EINVAL; goto out; } - irias_insert_object(ias_obj); + + /* Only insert newly allocated objects */ + if (free_ias) + irias_insert_object(ias_obj); + kfree(ias_opt); break; case IRLMP_IAS_DEL: