DescriptionEugene Teo (Security Response)
2010-09-13 04:06:21 UTC
Description of problem:
http://lkml.org/lkml/2010/9/11/170
The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read 4 bytes of uninitialized stack memory, because the "addr" member of the ch_reg struct declared on the stack in cxgb_extension_ioctl() is not altered or zeroed before being copied back to the user.
Acknowledgements:
Red Hat would like to thank Dan Rosenberg for reporting this issue.