[CVE-2012-4530] kernel stack disclosure in binfmt_script load_script
Luis Henriques
luis.henriques at canonical.com
Wed Dec 19 12:41:57 UTC 2012
>From http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/:
"Linux kernel binfmt_script handling in combination with CONFIG_MODULES
can lead to disclosure of kernel stack data during execve via copy of
data from dangling pointer to stack to growing argv list. Apart from
that, the BINPRM_MAX_RECURSION can be exceeded: the maximum of 4
recursions is ignored, instead a maximum of roughly 2^6 recursions is
in place."
Following this email, there are two patches that need to be applied to
L, O, P, Q and R:
- "exec: use -ELOOP for max recursion depth"
This patch has been recently merged into mainline
(d740269867021faf4ce38a449353d2b986c34a67) and fixes the recursion
issue.
- exec: do not leave bprm->interp on stack
This patch fixes the stack disclosure issue. It hasn't been merged
upstream yet, and its available in the -mm tree.
There's a POC that can be used as test case, available here:
http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
Cheers,
--
Luis
More information about the kernel-team
mailing list