-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm searching for a patch for linux kernel stack disclosure in
binfmt_script with crafted interpreter names when CONFIG_MODULES is
active (see [1]).
The simplest solution would be to return an error in load_script (from
fs/binfmt_script.c). when maximal recursion depth is reached, but I'm
not sure, if that is nice and could have any side effects. Apart from
that, some change in the loop condition in search_binary_handler (from
fs/exec.c) could have side effects hard to see and hence reintroduce
the bug (challenge to get that right in documentation).
Any comments?
- --- fs/binfmt_script.c 2012-01-19 23:04:48.000000000 +0000
+++ fs/binfmt_script.c 2012-08-18 13:55:25.735748407 +0000
@@ -22,9 +22,8 @@
char interp[BINPRM_BUF_SIZE];
int retval;
- - if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') ||
- - (bprm->recursion_depth > BINPRM_MAX_RECURSION))
- - return -ENOEXEC;
+ if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!')) return
- -ENOEXEC;
+ if (bprm->recursion_depth > BINPRM_MAX_RECURSION) return -ENOMEM;
/*
* This section does the #! interpretation.
* Sorta complicated, but hopefully it will work. -TYT
hd
[1]
http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
- --
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAlAvn0MACgkQxFmThv7tq+6nUACfdk7KWESuC6J1FXZcrMaa3kCb
eWoAn0wV6INdYGjAZydd6ytO0i5BnhGa
=cxbR
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
