Full Disclosure mailing list archives
binfmt_script kernel stack data disclosure during exec
From: halfdog <me () halfdog net>
Date: Wed, 10 Oct 2012 19:21:44 +0000
Linux kernel binfmt_script handling in combination with CONFIG_MODULES can lead to disclosure of kernel stack data during execve via copy of data from dangling pointer to stack to growing argv list. Apart from that, the BINPRM_MAX_RECURSION can be exceeded: the maximum of 4 recursions is ignored, instead a maximum of roughly 2^6 recursions is in place. A patch draft is available, but not accepted by upstream and might not have been checked thoroughly enough for production use. Since the issue is somehow public anyway, but upstream fixing may still take longer, I'm putting it here so that anyone with need can evaluate or optimize the patch by himself. See [1] for extended description and POC. hd [1] http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/ -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- binfmt_script kernel stack data disclosure during exec halfdog (Oct 10)