The __scm_destroy function in net/core/scm.c in the Linux kernel 22.214.171.124,
2.6.26, and earlier makes indirect recursive calls to itself through calls
to the fput function, which allows local users to cause a denial of service
(panic) via vectors related to sending an SCM_RIGHTS message through a UNIX
domain socket and closing file descriptors.
It was discovered that the Unix Socket handler did not correctly process
the SCM_RIGHTS message. A local attacker could make a malicious socket
request that would crash the system, leading to a denial of service.
kees> raised priority due to public PoC
Updated: 2015-07-29 20:34:07 UTC (commit 9756)