The __scm_destroy function in net/core/scm.c in the Linux kernel
22.214.171.124, 2.6.26, and earlier makes indirect recursive calls to
itself through calls to the fput function, which allows local users
to cause a denial of service (panic) via vectors related to sending
an SCM_RIGHTS message through a UNIX domain socket and closing file
*** Bug 250399 has been marked as a duplicate of this bug. ***
Populated Status Whiteboard. Here's the upstream patch:
Should this patch be applied independently, it is also strongly recommended to apply this related patch:
"scm: fix scm_fp_list->list initialization made in wrong place"
hardened-kernel unaffected at present time. Removing alias.
PS: genpatches-2.6.26-4 added 126.96.36.199. genpatches-2.6.27-5 added 188.8.131.52. =genpatches-2.6.25* remains vulnerable. However, hardened-sources-2.6.25-r13 does not because we independently folded in the newest stable patches.