46841 – exec: binfmt_script linux kernel stack data disclosure

Bug 46841 - exec: binfmt_script linux kernel stack data disclosure

Summary: exec: binfmt_script linux kernel stack data disclosure

Status:	RESOLVED OBSOLETE

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 high
Assignee:	fs_other

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-09-02 06:24 UTC by me
Modified:	2013-11-19 23:20 UTC (History)
CC List:	2 users (show)

See Also:
Kernel Version:	3.2.0
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description me 2012-09-02 06:24:37 UTC

Binfmt_script handling in combination with CONFIG_MODULES can lead to disclosure of kernel stack data during execve via copy of data from dangling pointer to stack
to growing argv list. Apart from that, the BINPRM_MAX_RECURSION can be exceeded: the maximum of 4 recursions is ignored, instead a maximum of roughly 2^6 recursions is in place.

See http://lkml.org/lkml/2012/8/18/75 about discussion of problem and patch proposals, but no solution yet.

See http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/ for POC.

Comment 1 Brahma 2013-10-15 05:15:29 UTC

Could you provide pointers or workaround to resolve this issue.

Comment 2 me 2013-10-17 17:32:50 UTC

This was tracked as http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4530 and is already fixed.

Here are two commits dealing with that ...

https://github.com/torvalds/linux/commit/b66c5984017533316fd1951770302649baf1aa33

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b66c5984017533316fd1951770302649baf1aa33

... but there are much more, since not only mainline kernel was patched.

Note You need to log in before you can comment on or make changes to this bug.