mailing list archives
binfmt_script kernel stack data disclosure during exec
From: halfdog <me () halfdog net>
Date: Wed, 10 Oct 2012 19:21:44 +0000
Linux kernel binfmt_script handling in combination with CONFIG_MODULES
can lead to disclosure of kernel stack data during execve via copy of
data from dangling pointer to stack to growing argv list. Apart from
that, the BINPRM_MAX_RECURSION can be exceeded: the maximum of 4
recursions is ignored, instead a maximum of roughly 2^6 recursions is
A patch draft is available, but not accepted by upstream and might not
have been checked thoroughly enough for production use. Since the issue
is somehow public anyway, but upstream fixing may still take longer, I'm
putting it here so that anyone with need can evaluate or optimize the
patch by himself.
See  for extended description and POC.
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- binfmt_script kernel stack data disclosure during exec halfdog (Oct 10)