Not sure wether we already fixed this one or was unaffected. Filing to be sure: Solar Designer found a race condition in do_add_counters(). The beginning of paddc is supposed to be the same as tmp which was sanity-checked above, but it might not be the same in reality. In case the integer overflow and/or the race condition are triggered, paddc->num_counters might not match the allocation size for paddc. If the check below (t->private->number != paddc->num_counters) nevertheless passes (perhaps this requires the race condition to be triggered), IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size, potentially leaking sensitive data (e.g., passwords from host system or from another VPS) via counter increments.
Dan, please add this patch to genpatches, thanks: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191698
Patch URL: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=129163
Fixed in genpatches-2.6.16-10 (gentoo-sources-2.6.16-r8) P.S. The patch you linked to is not the complete fix
2.6.16.17 has the full fix along with some more SCTP goodies.
Maintainers please bump to genpatches-2.6.16-10 or 2.6.16.18: hardened-sources-2.6: johnm, hardened herd hppa-sources-2.6: GMSoft rsbac-sources-2.6: kang sh-sources-2.6: vapier suspend2-sources-2.6: brix usermode-sources-2.6: dang xbox-sources-2.6: chrb, gimli xen-sources-2.6: chrb, agriffis
hppa-sources-2.6.16.18-pa11 in the tree.
Fixed in sys-kernel/suspend2-sources-2.6.16-r7.
usermode bumped to 2.6.16-r1
All fixed, closing. vapier please bump sh-sources.