Bug 868285 (CVE-2012-4530)

Summary: CVE-2012-4530 kernel: stack disclosure in binfmt_script load_script()
Product: [Other] Security Response Reporter: Prasad J Pandit <prasad>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agordeev, anton, bhu, davej, dhoward, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, jneedle, jonathan, jpoimboe, jrusnack, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, mcressma, plougher, pmatouse, rt-maint, sforsber, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120818,reported=20121015,source=customer,cvss2=2.1/AV:L/AC:L/Au:N/C:P/I:N/A:N,rhel-5/kernel=notaffected,rhel-6/kernel=affected,mrg-2/realtime-kernel=affected,fedora-all/kernel=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-29 03:13:37 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 880145, 880146, 880147, 880153, 880154    
Bug Blocks: 866868    

Description Prasad J Pandit 2012-10-19 08:15:55 EDT
A memory disclosure flaw has been found in the way binfmt_script load_script()
function handled excessive recursions. An unprivileged local user could use
this flaw to leak kernel memory.

References:
 - http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
 - https://lkml.org/lkml/2012/8/18/75

Proposed upstream fix:
 - https://lkml.org/lkml/2012/9/23/29
Comment 1 Prasad J Pandit 2012-10-19 08:36:17 EDT
Statement:

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 5.

This issue did affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 6.

This issue did affect the version of Linux kernel as shipped with Red Hat Enterprise MRG 2.
Comment 2 Vincent Danen 2012-10-20 13:07:40 EDT
This has been assigned the name CVE-2012-4530.
Comment 3 Prasad J Pandit 2012-11-26 06:02:02 EST
Upstream patches [1] and [2] together fix this flaw of memory disclosure.

[1] http://www.spinics.net/lists/mm-commits/msg92245.html
[2] http://www.spinics.net/lists/mm-commits/msg92433.html

References:
 - https://lkml.org/lkml/2012/11/18/142
Comment 5 Prasad J Pandit 2012-11-26 06:08:54 EST
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 880147]
Comment 7 Fedora Update System 2012-12-01 03:28:04 EST
kernel-3.6.8-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-12-06 23:26:04 EST
kernel-3.6.9-4.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-12-17 21:34:40 EST
kernel-3.6.10-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Prasad J Pandit 2012-12-19 01:28:35 EST
In a surprising development, the patch returning -ELOOP to end the inadvertent recursions was removed from the -mm tree.

 -> http://www.spinics.net/lists/mm-commits/msg93063.html

Which means the issue still persists.
Comment 11 John Kacur 2013-01-09 11:38:56 EST
(In reply to comment #10)
> In a surprising development, the patch returning -ELOOP to end the
> inadvertent recursions was removed from the -mm tree.
> 
>  -> http://www.spinics.net/lists/mm-commits/msg93063.html
> 
> Which means the issue still persists.

Huh? "This patch was dropped because it was merged into mainline or a subsystem tree"

am I missing something here?
Comment 12 Josh Boyer 2013-01-09 12:15:37 EST
(In reply to comment #11)
> (In reply to comment #10)
> > In a surprising development, the patch returning -ELOOP to end the
> > inadvertent recursions was removed from the -mm tree.
> > 
> >  -> http://www.spinics.net/lists/mm-commits/msg93063.html
> > 
> > Which means the issue still persists.
> 
> Huh? "This patch was dropped because it was merged into mainline or a
> subsystem tree"
> 
> am I missing something here?

No.  Prasad and I discussed this already in the Fedora bug.  It's fixed in Fedora and upstream.

https://bugzilla.redhat.com/show_bug.cgi?id=880147#c14
Comment 13 John Kacur 2013-01-10 11:36:18 EST
(In reply to comment #12)
> (In reply to comment #11)
> > (In reply to comment #10)
> > > In a surprising development, the patch returning -ELOOP to end the
> > > inadvertent recursions was removed from the -mm tree.
> > > 
> > >  -> http://www.spinics.net/lists/mm-commits/msg93063.html
> > > 
> > > Which means the issue still persists.
> > 
> > Huh? "This patch was dropped because it was merged into mainline or a
> > subsystem tree"
> > 
> > am I missing something here?
> 
> No.  Prasad and I discussed this already in the Fedora bug.  It's fixed in
> Fedora and upstream.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=880147#c14

Ok, I see that now.
However, two commits are referred to, one is upstream, and the other is still -mm as far as I can tell, is the upstream one enough to fix the problem, or do we need both?
Comment 14 Prasad J Pandit 2013-01-11 01:56:35 EST
We need both. The second commit is on its way to upstream, will be there very soon.
Comment 16 John Kacur 2013-01-14 14:13:53 EST
(In reply to comment #15)
> Actually, both patches have been committed upstream:
> 
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;
> h=b66c5984017533316fd1951770302649baf1aa33
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;
> h=d740269867021faf4ce38a449353d2b986c34a67

thanks!
Comment 17 errata-xmlrpc 2013-02-05 14:56:17 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0223 https://rhn.redhat.com/errata/RHSA-2013-0223.html
Comment 18 errata-xmlrpc 2013-03-06 14:25:29 EST
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:0566 https://rhn.redhat.com/errata/RHSA-2013-0566.html