Description of problem: The semctl syscall has several code paths that lead to the leakage of uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO, IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete version of the semid_ds struct. The copy_semid_to_user() function declares a semid_ds struct on the stack and copies it back to the user without initializing or zeroing the 'sem_base', 'sem_pending', 'sem_pending_last', and 'undo' pointers, allowing the leakage of 16 bytes of kernel stack memory. The code is still reachable on 32-bit systems - when calling semctl() newer glibc's automatically OR the IPC command with the IPC_64 flag, but invoking the syscall directly allows users to use the older versions of the struct. Reference: http://www.openwall.com/lists/oss-security/2010/10/06/6 http://www.spinics.net/lists/mm-commits/msg80234.html Acknowledgements: Red Hat would like to thank Dan Rosenberg for reporting this issue.
Statement: This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Extended Life Cycle Phase of its maintenance life-cycle, where only qualified security errata of critical impact are addressed. For further information about the Errata Support Policy, visit: http://www.redhat.com/security/updates/errata
Upstream commit: http://git.kernel.org/linus/982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56
*** Bug 649614 has been marked as a duplicate of this bug. ***
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2010:0958 https://rhn.redhat.com/errata/RHSA-2010-0958.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0004 https://rhn.redhat.com/errata/RHSA-2011-0004.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0007 https://rhn.redhat.com/errata/RHSA-2011-0007.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2011:0162 https://rhn.redhat.com/errata/RHSA-2011-0162.html