| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Oct 2012 19:21:44 +0000 From: halfdog <me@...fdog.net> To: full-disclosure@...ts.grok.org.uk Subject: binfmt_script kernel stack data disclosure during exec Linux kernel binfmt_script handling in combination with CONFIG_MODULES can lead to disclosure of kernel stack data during execve via copy of data from dangling pointer to stack to growing argv list. Apart from that, the BINPRM_MAX_RECURSION can be exceeded: the maximum of 4 recursions is ignored, instead a maximum of roughly 2^6 recursions is in place. A patch draft is available, but not accepted by upstream and might not have been checked thoroughly enough for production use. Since the issue is somehow public anyway, but upstream fixing may still take longer, I'm putting it here so that anyone with need can evaluate or optimize the patch by himself. See [1] for extended description and POC. hd [1] http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/ -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists