Description of problem: A vulnerability in the 32-bit compatibility layer for 64-bit systems was reported. It is caused by insecure allocation of user space memory when translating system call inputs to 64-bit. A stack pointer underflow can occur when using the "compat_alloc_user_space" method with an arbitrary length input. Reference: http://sota.gen.nz/compat1/ Upstream commit: http://git.kernel.org/linus/c41d68a513c71e35a14f66d71782d27a79a81ea6 Acknowledgements: Red Hat would like to thank Ben Hawkes for reporting this issue.
Exploit: http://seclists.org/fulldisclosure/2010/Sep/268