Bug 46841

Summary: exec: binfmt_script linux kernel stack data disclosure
Product: File System Reporter: me
Component: OtherAssignee: fs_other
Status: RESOLVED OBSOLETE    
Severity: high CC: alan, brahma.gdb
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 3.2.0 Subsystem:
Regression: No Bisected commit-id:

Description me 2012-09-02 06:24:37 UTC 
Binfmt_script handling in combination with CONFIG_MODULES can lead to disclosure of kernel stack data during execve via copy of data from dangling pointer to stack
to growing argv list. Apart from that, the BINPRM_MAX_RECURSION can be exceeded: the maximum of 4 recursions is ignored, instead a maximum of roughly 2^6 recursions is in place.

See http://lkml.org/lkml/2012/8/18/75 about discussion of problem and patch proposals, but no solution yet.

See http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/ for POC.
Comment 1 Brahma 2013-10-15 05:15:29 UTC 
Could you provide pointers or workaround to resolve this issue.
Comment 2 me 2013-10-17 17:32:50 UTC 
This was tracked as http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4530 and is already fixed.

Here are two commits dealing with that ...

https://github.com/torvalds/linux/commit/b66c5984017533316fd1951770302649baf1aa33

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b66c5984017533316fd1951770302649baf1aa33

... but there are much more, since not only mainline kernel was patched.