On Tue, Sep 04, 2018 at 03:24:04PM +0000, Tyler Hicks wrote:
The irda_bind() function allocates memory for self->ias_obj without checking to see if the socket is already bound. A userspace process could repeatedly bind the socket, have each new object added into the LM-IAS database, and lose the reference to the old object assigned to the socket to exhaust memory resources. This patch errors out of the bind operation when self->ias_obj is already assigned.
CVE-2018-6554
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Tyler Hicks tyhicks@canonical.com Reviewed-by: Seth Arnold seth.arnold@canonical.com Reviewed-by: Stefan Bader stefan.bader@canonical.com
No "Reported-by:" lines?
And agin, how can you trigger any of this given the code doesn't even work? Can you load irda modules as a "normal" user?
thanks,
greg k-h