Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

binfmt_script kernel stack data disclosure during exec
From: halfdog <me () halfdog net>
Date: Wed, 10 Oct 2012 19:21:44 +0000

Linux kernel binfmt_script handling in combination with CONFIG_MODULES
can lead to disclosure of kernel stack data during execve via copy of
data from dangling pointer to stack to growing argv list. Apart from
that, the BINPRM_MAX_RECURSION can be exceeded: the maximum of 4
recursions is ignored, instead a maximum of roughly 2^6 recursions is
in place.

A patch draft is available, but not accepted by upstream and might not
have been checked thoroughly enough for production use. Since the issue
is somehow public anyway, but upstream fixing may still take longer, I'm
putting it here so that anyone with need can evaluate or optimize the
patch by himself.

See [1] for extended description and POC.

hd

[1]
http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/

-- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • binfmt_script kernel stack data disclosure during exec halfdog (Oct 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault