Secunia

Some weaknesses have been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose certain system information.

1) The "cxgb_extension_ioctl()" function in drivers/net/cxgb3/cxgb3_main.c, the "eql_g_master_cfg()" function in drivers/net/eql.c, and the "hso_get_count()" function in drivers/net/usb/hso.c are not properly initialising all members of certain structures before copying them to userspace, which can be exploited to disclose kernel stack memory by sending certain IOCTLs.

2) The "copy_semid_to_user()" function in ipc/sem.c and the "ivtvfb_ioctl()" function in drivers/media/video/ivtv/ivtvfb.c are not properly initialising all members of certain structures before copying them to userspace, which can be exploited to disclose kernel stack memory by sending certain IOCTLs.

3) The "copy_shmid_to_user()" function in ipc/shm.c, the "compat_sys_semctl()", "compat_sys_msgctl()", and "compat_sys_shmctl()" functions in ipc/compat.c, the "compat_sys_mq_open()" and "compat_sys_mq_getsetattr()" functions in ipc/compat_mq.c are not properly initialising all members of certain structures before copying them to userspace, which can be exploited to disclose kernel stack memory.

Solution
Update to version 2.6.36, which fixes vulnerabilities #1 and #2.

Provided and/or discovered by
1, 2) Dan Rosenberg
3) Dan Rosenberg and Kees Cook

Changelog
Further details available in Customer Area

Original Advisory
Kernel.org:
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.23
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35.6
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.36-rc7
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.36-rc8

1) http://lkml.org/lkml/2010/9/11/170
http://lkml.org/lkml/2010/9/11/168
http://lkml.org/lkml/2010/9/11/167
2) http://seclists.org/oss-sec/2010/q3/424
3) http://lkml.org/lkml/2010/10/6/454
http://lkml.org/lkml/2010/10/6/492

Deep Links
Links available in Customer Area