Description of problem: http://lkml.org/lkml/2010/9/11/170 The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read 4 bytes of uninitialized stack memory, because the "addr" member of the ch_reg struct declared on the stack in cxgb_extension_ioctl() is not altered or zeroed before being copied back to the user. Acknowledgements: Red Hat would like to thank Dan Rosenberg for reporting this issue.
This commit 49c37c0334a9b85d30ab3d6b5d1acb05ef2ef6de in David Miller's net-2.6 git repo
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html
Upstream commit: http://git.kernel.org/linus/49c37c0334a9b85d30ab3d6b5d1acb05ef2ef6de
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0421 https://rhn.redhat.com/errata/RHSA-2011-0421.html