Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp721467imm; Thu, 13 Sep 2018 06:49:37 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdbu5ts0VwFWo3B0xvNr9JeqH7yJN3uid/JT7LGiAW2l6dqWCLy17cKir8iBGZDt3fFQn8yL X-Received: by 2002:a63:881:: with SMTP id 123-v6mr7379095pgi.244.1536846577757; Thu, 13 Sep 2018 06:49:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536846577; cv=none; d=google.com; s=arc-20160816; b=R63llSN1KxNHUXsKlK7GQHhGRG+XKN1WNhq0wv1Qy/gc3bZ8GIlbG9DwHMrUm+uNmX H9uUtrTJDM7R+ycuzXJ4x2MA9w2T+tDFN0nSTHGP43SPyOxohbg40BpkX4Oo8CuUYWZH 04scNcG8gyePBiS9DVNAsSj7MbU/iv6mVh8xwezc6SoR632WTAWxZ32LbndtYVUSOQfX 3XtXht+zPm26gdtZ85YAlfG42u6H3VXZLac87DxgiZvscGbvjhqlkUKqLjEz7UwN+TPW doCvTNZ4z9YA6tro4AWPfHOYUz2rUbd/rKe29boXr/dfxThUeFj+cSsYlhBlPjnatIdK Du4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=7830NSqCUOdlg3hPuRcHOdyRQbkMxdoQddRUCVM8lcQ=; b=nw4G9cqYsJ84HPV5Lf1uMhGDRypjQMUwcV+Fcn67xoMnbUJmkg4dHolClhjir3cnfT Msy9wAn8X5dgfjJmiqp8i97oK8EbGVVzBss4g/xspJxGpEf5QUmf7ZZOBiwWtY1fVSBF jCRIlI7oXyyYLoj1yUzMWr4J4s8zUpV1prhKZ0/XEgiwNBM4eG45skvwfwCPFqU6Hqyn 4H2glJurPaVY09ePiOgTkP3jIfOXhaTY3zuGLh5opP0XXfbGfSC47K/VdevWu3lvOVQs zrNMe0n0PFTnCw/O9CFfR8ckBWqH2KjLrHoQN9P4o44KkCBXvbNPwoR5C/m8taR73aiS u81A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g2-v6si4710216pgg.83.2018.09.13.06.49.22; Thu, 13 Sep 2018 06:49:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730530AbeIMS6W (ORCPT + 99 others); Thu, 13 Sep 2018 14:58:22 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:32956 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730414AbeIMS6V (ORCPT ); Thu, 13 Sep 2018 14:58:21 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 066F8D1A; Thu, 13 Sep 2018 13:48:47 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , Tyler Hicks , Seth Arnold , Stefan Bader Subject: [PATCH 4.14 107/115] irda: Fix memory leak caused by repeated binds of irda socket Date: Thu, 13 Sep 2018 15:32:07 +0200 Message-Id: <20180913131829.906753548@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180913131823.327472833@linuxfoundation.org> References: <20180913131823.327472833@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tyler Hicks The irda_bind() function allocates memory for self->ias_obj without checking to see if the socket is already bound. A userspace process could repeatedly bind the socket, have each new object added into the LM-IAS database, and lose the reference to the old object assigned to the socket to exhaust memory resources. This patch errors out of the bind operation when self->ias_obj is already assigned. CVE-2018-6554 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Tyler Hicks Reviewed-by: Seth Arnold Reviewed-by: Stefan Bader Signed-off-by: Greg Kroah-Hartman --- drivers/staging/irda/net/af_irda.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/drivers/staging/irda/net/af_irda.c +++ b/drivers/staging/irda/net/af_irda.c @@ -775,6 +775,13 @@ static int irda_bind(struct socket *sock return -EINVAL; lock_sock(sk); + + /* Ensure that the socket is not already bound */ + if (self->ias_obj) { + err = -EINVAL; + goto out; + } + #ifdef CONFIG_IRDA_ULTRA /* Special care for Ultra sockets */ if ((sk->sk_type == SOCK_DGRAM) &&