Description of problem: In bcm_connect() (in net/can/bcm.c), there is the following code: sprintf(bo->procname, "%p", sock); The CAN protocol uses the address of a kernel heap object sock as a proc filename, revealing information that could be useful during exploitation. Reference: http://seclists.org/oss-sec/2010/q4/103 http://www.spinics.net/lists/netdev/msg145791.html Acknowledgements: Red Hat would like to thank Dan Rosenberg for reporting this issue.
Statement: The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and 5 did not include CAN bus subsystem support, and therefore are not affected by this issue. This has been addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0330.html. A future kernel update in Red Hat Enterprise Linux 6 may address this flaw.
Patch: http://www.spinics.net/lists/netdev/msg151020.html
(In reply to comment #4) > Patch: http://www.spinics.net/lists/netdev/msg151020.html http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=9f260e0efa4766e56d0ac14f1aeea6ee5eb8fe83
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2011:0330 https://rhn.redhat.com/errata/RHSA-2011-0330.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0498 https://rhn.redhat.com/errata/RHSA-2011-0498.html