Since the user can control the arguments provided to the kernel by the ioctl() system call, an out-of-bounds bug occurs when the 'id->name' provided by the user does not end with '\0'. Upstream commits: https://github.com/torvalds/linux/commit/6ab55ec0a938c7f943a4edba3d6514f775983887 https://github.com/torvalds/linux/commit/5934d9a0383619c14df91af8fd76261dc3de2f5f
Red Hat Enterprise Linux 6, 7, 8 and 9 are not affected by this flaw as they did not include support for faster lookup of control elements (upstream commit that introduced the bug): https://github.com/torvalds/linux/commit/c27e1ef.