Reported to vendor-sec from the kernel security list, originally from Georgi Guninski. "It is possible to partially overwrite low kernel memory due to integer overflow in sys_epoll_wait and misuse of __put_user in ep_send_events" Note that this area usually doesn't actually contain anything (the first 4kB are left alone for dosemu etc to read the original 16-bit interrupt descriptors, and the rest is just about the last thing we ever allocate, so it's usually unused) Fixed upstream, see http://linux.bkbits.net:8080/linux-2.6/cset@422dd06a1p5PsyFhoGAJseinjEq3ew
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-366.html