On Tue, Sep 04, 2018 at 03:24:04PM +0000, Tyler Hicks wrote:
> The irda_bind() function allocates memory for self->ias_obj without
> checking to see if the socket is already bound. A userspace process
> could repeatedly bind the socket, have each new object added into the
> LM-IAS database, and lose the reference to the old object assigned to
> the socket to exhaust memory resources. This patch errors out of the
> bind operation when self->ias_obj is already assigned.
>
> CVE-2018-6554
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
> Reviewed-by: Seth Arnold <seth.arnold@xxxxxxxxxxxxx>
> Reviewed-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
> ---
No "Reported-by:" lines?
And agin, how can you trigger any of this given the code doesn't even
work? Can you load irda modules as a "normal" user?
thanks,
greg k-h
