[Acked] [CVE-2012-4530] kernel stack disclosure in binfmt_script load_script

[Andy Whitcroft]

On Wed, Dec 19, 2012 at 12:41:57PM +0000, Luis Henriques wrote:
> From http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/:
> 
> "Linux kernel binfmt_script handling in combination with CONFIG_MODULES
> can lead to disclosure of kernel stack data during execve via copy of
> data from dangling pointer to stack to growing argv list. Apart from
> that, the BINPRM_MAX_RECURSION can be exceeded: the maximum of 4
> recursions is ignored, instead a maximum of roughly 2^6 recursions is
> in place."
> 
> Following this email, there are two patches that need to be applied to
> L, O, P, Q and R:
> 
> - "exec: use -ELOOP for max recursion depth"
>   This patch has been recently merged into mainline
>   (d740269867021faf4ce38a449353d2b986c34a67) and fixes the recursion
>   issue.
> 
> - exec: do not leave bprm->interp on stack
>   This patch fixes the stack disclosure issue.  It hasn't been merged
>   upstream yet, and its available in the -mm tree.
> 
> There's a POC that can be used as test case, available here:
> 
>   http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
> 


These appear to be reasonable backports of the upstream changes.  The
change from -mm while not 100% cirtain to be the final form, no
discussion has occured on it for some weeks now.  It seems 'ok' if not
the final solution and I expect it to be applied as is and refined
rather than wholesale rejected.

Therefore:

Acked-by: Andy Whitcroft <apw at canonical.com>

-apw