Two weaknesses, a security issue, and some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions, cause a DoS (Denial of Service), and potentially gain escalated privileges and by malicious people to disclose potentially sensitive information.

1) The "xfs_swapext()" function in fs/xfs/xfs_dfrag.c does not properly verify access permissions. This can be exploited to swap the contents of e.g. a write-only file owned by another user into a file readable by the attacker via a specially crafted IOCTL.

2) An integer overflow error within the "ethtool_get_rxnfc()" function in net/core/ethtool.c can be exploited to cause a kernel crash and potentially gain escalated privileges by sending a specially crafted IOCTL.

Successful exploitation requires that a network driver supporting the "get_rxnfc" operation is used.

3) A weakness is caused due to the XFS file system not properly verifying the inode numbers of file handles, which can lead to potentially sensitive information being disclosed to NFS clients.

4) A security issue is caused due to the "bfa_attach()" function in drivers/scsi/bfa/bfa_core.c not properly initialising certain data structures, which can be exploited to e.g. cause a crash by reading the fc_host statistics via the sysfs file.

5) A weakness in the "tc_fill_qdisc()" function (net/sched/sch_api.c) within the root (egress) Queuing Discipline (qdisc) functionality can be exploited to dereference a NULL pointer.

Solution
Update to version 2.6.35.

Provided and/or discovered by
1) Dan Rosenberg
2, 3, 4) Reported by the vendor.
5) Ben Pfaff

Changelog
Further details available in Customer Area

Original Advisory
1)
http://archives.free.net.ph/message/20100616.130710.301704aa.en.html
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1817176a86352f65210139d4c794ad2d19fc6b63
2)
http://article.gmane.org/gmane.linux.network/164869
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=db048b69037e7fa6a7d9e95a1271a50dc08ae233
3)
http://oss.sgi.com/cgi-bin/mesg.cgi?a=xfs&i=1276756659-12338-1-git-send-email-david%40fromorbit.com
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7dce11dbac54fce777eea0f5fb25b2694ccd7900
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7124fe0a5b619d65b739477b3b55a20bf805b06d
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1920779e67cbf5ea8afef317777c5bf2b8096188
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7b6259e7a83647948fa33a736cc832310c8d85aa
4)
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7873ca4e4401f0ecd8868bf1543113467e6bae61

Ben Pfaff:
http://kerneltrap.org/mailarchive/linux-netdev/2010/5/21/6277805

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area