Description of the problem: Commit 644595f89620 ("compat: Handle COMPAT_USE_64BIT_TIME in net/socket.c") introduced a bug where the helper functions to take either a 64-bit or compat time[spec|val] got the arguments in the wrong order, passing the kernel stack pointer off as a user pointer (and vice versa). On architectures that use separate address spaces for userspace and kernel (for example PA-RISC), an unprivileged local user can crash the system or read kernel memory. Introduced in: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=644595f89620 Upstream fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=ed6fe9d614f Acknowledgements: This issue was discovered by Mikulas Patocka of Red Hat.
Fixed in 3.6-rc5. F18 and rawhide are on 3.6 final now so already fixed. Backported to the 3.5.4 stable kernel with commit d6534b3afbbb228c0eed4fa4a6d00a3490a5da52. Already fixed in F17. Backported to the 3.4.11 kernel with commit 43da476d7f734a1b55680668246d0237dde4ea57. Already fixed in F16.