A user can supply len < 0 in ipv6_getsockopt_sticky and cause a leak of kernel memory.
Created attachment 149966 [details] Upstream patch from Chris Wright
Hi Marcel - This patch doesn't appear to be needed - len is ignored when copying header info to the user's buffer in ipv6_getsockopt_sticky() -- the length to hand back to userspace is taken direclty from the header. I don't see this patch upstream. Let me know if I've missed the vulnerablity here.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
This request was evaluated by Red Hat Kernel Team for inclusion in a Red Hat Enterprise Linux maintenance release, and has moved to bugzilla status POST.