Description of the problem: On 32-bit systems, a large args->buffer_count from userspace via ioctl may overflow the allocation size, leading to out-of-bounds access. References: http://www.openwall.com/lists/oss-security/2012/05/21/1 Upstream fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ed8cd3b2cd61004cab85380c52b1817aca1ca49b
FYI. This was fixed in 3.3.5 (stable commit 4a265435c87b19175c3906ff49ffe5bf4a4cc228). All Fedora branches are on that or newer already.
(In reply to comment #1) > FYI. This was fixed in 3.3.5 (stable commit > 4a265435c87b19175c3906ff49ffe5bf4a4cc228). All Fedora branches are on that > or newer already. Josh, what about Fedora 15? I see thaf f15 is on 2.6.43.
(In reply to comment #2) > (In reply to comment #1) > > FYI. This was fixed in 3.3.5 (stable commit > > 4a265435c87b19175c3906ff49ffe5bf4a4cc228). All Fedora branches are on that > > or newer already. > > Josh, what about Fedora 15? I see thaf f15 is on 2.6.43. 2.6.4x is just 3.x renamed. So kernel-2.6.43.5-2.fc15 is equivalent to 3.3.5, and that is the kernel currently in f15 stable updates. We have 2.6.43.7 already committed to Fedora git as well.
(In reply to comment #5) > (In reply to comment #2) > > (In reply to comment #1) > > > FYI. This was fixed in 3.3.5 (stable commit > > > 4a265435c87b19175c3906ff49ffe5bf4a4cc228). All Fedora branches are on that > > > or newer already. > > > > Josh, what about Fedora 15? I see thaf f15 is on 2.6.43. > > 2.6.4x is just 3.x renamed. So kernel-2.6.43.5-2.fc15 is equivalent to > 3.3.5, and that is the kernel currently in f15 stable updates. We have > 2.6.43.7 already committed to Fedora git as well. Perfect, thanks for the info.
Statement: This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1156 https://rhn.redhat.com/errata/RHSA-2012-1156.html