Some weaknesses and a vulnerability have been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information.

1) A vulnerability is caused due to wireless drivers potentially copying more kernel heap memory to userspace than intended, which can be exploited to disclose potentially sensitive information by e.g. sending a specially crafted "SIOCGIWESSID" IOCTL.

2) The "tcf_gact_dump()" function in net/sched/act_gact.c, the "tcf_mirred_dump()" function in net/sched/act_mirred.c, the "tcf_nat_dump()" function in net/sched/act_nat.c, the "tcf_simp_dump()" function in net/sched/act_simple.c, and the "tcf_skbedit_dump()" function in net/sched/act_skbedit.c are not properly initializing all members of certain structures before copying them to userspace, which can be exploited to disclose kernel stack memory.

3) The "tcf_act_police_dump()" function in net/sched/act_police.c is not properly initializing all members of a certain structure before copying it to userspace, which can be exploited to disclose kernel stack memory.

Solution
Update to version 2.6.36.

Provided and/or discovered by
1) Reported as a grsecurity bug by jubidu. Additional information provided by Brad Spengler and the vendor.
2) Disclosed in a GIT commit.
3) Jeff Mahoney, SUSE

Changelog
Further details available to Secunia VIM customers

Original Advisory
1) Jubidu:
http://forums.grsecurity.net/viewtopic.php?f=3&t=2290&start=0

http://lkml.org/lkml/2010/8/30/127
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=42da2f948d949efd0111309f5827bf0298bcc9a4

2) http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=1c40be12f7d8ca1d387510d39787b12e512a7ce8
3) http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0f04cfd098fb81fded74e78ea1a1b86cc6c6c31e

Deep Links
Links available to Secunia VIM customers