[Acked] [CVE-2012-4530] kernel stack disclosure in binfmt_script load_script
Andy Whitcroft
apw at canonical.com
Thu Dec 20 14:13:32 UTC 2012
On Wed, Dec 19, 2012 at 12:41:57PM +0000, Luis Henriques wrote:
> From http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/:
>
> "Linux kernel binfmt_script handling in combination with CONFIG_MODULES
> can lead to disclosure of kernel stack data during execve via copy of
> data from dangling pointer to stack to growing argv list. Apart from
> that, the BINPRM_MAX_RECURSION can be exceeded: the maximum of 4
> recursions is ignored, instead a maximum of roughly 2^6 recursions is
> in place."
>
> Following this email, there are two patches that need to be applied to
> L, O, P, Q and R:
>
> - "exec: use -ELOOP for max recursion depth"
> This patch has been recently merged into mainline
> (d740269867021faf4ce38a449353d2b986c34a67) and fixes the recursion
> issue.
>
> - exec: do not leave bprm->interp on stack
> This patch fixes the stack disclosure issue. It hasn't been merged
> upstream yet, and its available in the -mm tree.
>
> There's a POC that can be used as test case, available here:
>
> http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
>
These appear to be reasonable backports of the upstream changes. The
change from -mm while not 100% cirtain to be the final form, no
discussion has occured on it for some weeks now. It seems 'ok' if not
the final solution and I expect it to be applied as is and refined
rather than wholesale rejected.
Therefore:
Acked-by: Andy Whitcroft <apw at canonical.com>
-apw
More information about the kernel-team
mailing list