he irda_setsockopt() function conditionally allocates memory for a new self->ias_object or, in some cases, reuses the existing self->ias_object. Existing objects were incorrectly reinserted into the LM_IAS database which corrupted the doubly linked list used for the hashbin implementation of the LM_IAS database. When combined with a memory leak in irda_bind(), this issue could be leveraged to create a use-after-free vulnerability in the hashbin list. References: https://seclists.org/oss-sec/2018/q3/212 Suggested patches: https://www.spinics.net/lists/stable/msg255033.html https://www.spinics.net/lists/stable/msg255029.html
Notes: None of the Red Hat's products are vulnerable to this flaw.