Search for patch for kernel stack disclosure in binfmt_script during execve

All of lore.kernel.org
 help / color / mirror / Atom feed

From: halfdog <me@halfdog.net>
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Search for patch for kernel stack disclosure in binfmt_script during execve
Date: Sat, 18 Aug 2012 14:00:32 +0000	[thread overview]
Message-ID: <502FA000.8090700@halfdog.net> (raw)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm searching for a patch for linux kernel stack disclosure in
binfmt_script with crafted interpreter names when CONFIG_MODULES is
active (see [1]).

The simplest solution would be to return an error in load_script (from
fs/binfmt_script.c). when maximal recursion depth is reached, but I'm
not sure, if that is nice and could have any side effects. Apart from
that, some change in the loop condition in search_binary_handler (from
fs/exec.c) could have side effects hard to see and hence reintroduce
the bug (challenge to get that right in documentation).


Any comments?

- --- fs/binfmt_script.c  2012-01-19 23:04:48.000000000 +0000
+++ fs/binfmt_script.c        2012-08-18 13:55:25.735748407 +0000
@@ -22,9 +22,8 @@
        char interp[BINPRM_BUF_SIZE];
        int retval;

- -       if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') ||
- -           (bprm->recursion_depth > BINPRM_MAX_RECURSION))
- -               return -ENOEXEC;
+       if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!')) return
- -ENOEXEC;
+        if (bprm->recursion_depth > BINPRM_MAX_RECURSION) return -ENOMEM;
        /*
         * This section does the #! interpretation.
         * Sorta complicated, but hopefully it will work.  -TYT

hd

[1]
http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlAvn0MACgkQxFmThv7tq+6nUACfdk7KWESuC6J1FXZcrMaa3kCb
eWoAn0wV6INdYGjAZydd6ytO0i5BnhGa
=cxbR
-----END PGP SIGNATURE-----

next             reply	other threads:[~2012-08-18 14:00 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-18 14:00 halfdog [this message]
2012-08-19  8:39 ` Search for patch for kernel stack data disclosure in binfmt_script during execve halfdog
2012-08-22 21:49   ` halfdog
2012-08-23  8:56     ` Kirill A. Shutemov
2012-08-24 10:10       ` halfdog
2012-09-20 16:05         ` [PATCH] Fix " halfdog
2012-09-21 19:15           ` Randy Dunlap
2012-09-23  4:54             ` [PATCH v2] " halfdog

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=502FA000.8090700@halfdog.net \
    --to=me@halfdog.net \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.