info->num comes from the user. It's type int. If the user passes in a negative value that would cause memory corruption. Upstream commit: http://git.kernel.org/linus/cb26a24ee9706473f31d34cc259f4dcf45cd0644 Introduced in bd403b67 (v2.6.2-rc1).
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2011:0263 https://rhn.redhat.com/errata/RHSA-2011-0263.html
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2011:0330 https://rhn.redhat.com/errata/RHSA-2011-0330.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0421 https://rhn.redhat.com/errata/RHSA-2011-0421.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0429 https://rhn.redhat.com/errata/RHSA-2011-0429.html