evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/net/irda
History
Tyler Hicks 131a3b82c8 irda: Only insert new objects into the global database via setsockopt 
The irda_setsockopt() function conditionally allocates memory for a new
self->ias_object or, in some cases, reuses the existing
self->ias_object. Existing objects were incorrectly reinserted into the
LM_IAS database which corrupted the doubly linked list used for the
hashbin implementation of the LM_IAS database. When combined with a
memory leak in irda_bind(), this issue could be leveraged to create a
use-after-free vulnerability in the hashbin list. This patch fixes the
issue by only inserting newly allocated objects into the database.

CVE-2018-6555

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-09-15 09:40:40 +02:00
..
ircomm
irlan
irnet
af_irda.c irda: Only insert new objects into the global database via setsockopt 2018-09-15 09:40:40 +02:00
discovery.c
irda_device.c
iriap.c net/irda: handle iriap_register_lsap() allocation failure 2016-09-30 10:18:36 +02:00
iriap_event.c
irias_object.c
irlap.c
irlap_event.c
irlap_frame.c
irlmp.c
irlmp_event.c
irlmp_frame.c
irmod.c
irnetlink.c
irproc.c
irqueue.c irda: Fix lockdep annotations in hashbin_delete(). 2017-02-26 11:07:50 +01:00
irsysctl.c
irttp.c
Kconfig
Makefile
parameters.c
qos.c
timer.c
wrapper.c