Bug 868285 (CVE-2012-4530) - CVE-2012-4530 kernel: stack disclosure in binfmt_script load_script()
Summary: CVE-2012-4530 kernel: stack disclosure in binfmt_script load_script()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-4530
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Engineering880145 Engineering880146 880147 Engineering880153 Engineering880154
Blocks: Embargoed866868
TreeView+ depends on / blocked
 
Reported: 2012-10-19 12:15 UTC by Prasad Pandit
Modified: 2021-02-17 08:29 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-29 07:13:37 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0223 0 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2013-02-06 00:52:09 UTC
Red Hat Product Errata RHSA-2013:0566 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2013-03-07 00:24:01 UTC

Description Prasad Pandit 2012-10-19 12:15:55 UTC 
A memory disclosure flaw has been found in the way binfmt_script load_script()
function handled excessive recursions. An unprivileged local user could use
this flaw to leak kernel memory.

References:
 - http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
 - https://lkml.org/lkml/2012/8/18/75

Proposed upstream fix:
 - https://lkml.org/lkml/2012/9/23/29
Comment 1 Prasad Pandit 2012-10-19 12:36:17 UTC 
Statement:

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 5.

This issue did affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 6.

This issue did affect the version of Linux kernel as shipped with Red Hat Enterprise MRG 2.
Comment 2 Vincent Danen 2012-10-20 17:07:40 UTC 
This has been assigned the name CVE-2012-4530.
Comment 3 Prasad Pandit 2012-11-26 11:02:02 UTC 
Upstream patches [1] and [2] together fix this flaw of memory disclosure.

[1] http://www.spinics.net/lists/mm-commits/msg92245.html
[2] http://www.spinics.net/lists/mm-commits/msg92433.html

References:
 - https://lkml.org/lkml/2012/11/18/142
Comment 5 Prasad Pandit 2012-11-26 11:08:54 UTC 
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 880147]
Comment 7 Fedora Update System 2012-12-01 08:28:04 UTC 
kernel-3.6.8-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-12-07 04:26:04 UTC 
kernel-3.6.9-4.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-12-18 02:34:40 UTC 
kernel-3.6.10-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Prasad Pandit 2012-12-19 06:28:35 UTC 
In a surprising development, the patch returning -ELOOP to end the inadvertent recursions was removed from the -mm tree.

 -> http://www.spinics.net/lists/mm-commits/msg93063.html

Which means the issue still persists.
Comment 11 John Kacur 2013-01-09 16:38:56 UTC 
(In reply to comment #10)
> In a surprising development, the patch returning -ELOOP to end the
> inadvertent recursions was removed from the -mm tree.
> 
>  -> http://www.spinics.net/lists/mm-commits/msg93063.html
> 
> Which means the issue still persists.

Huh? "This patch was dropped because it was merged into mainline or a subsystem tree"

am I missing something here?
Comment 12 Josh Boyer 2013-01-09 17:15:37 UTC 
(In reply to comment #11)
> (In reply to comment #10)
> > In a surprising development, the patch returning -ELOOP to end the
> > inadvertent recursions was removed from the -mm tree.
> > 
> >  -> http://www.spinics.net/lists/mm-commits/msg93063.html
> > 
> > Which means the issue still persists.
> 
> Huh? "This patch was dropped because it was merged into mainline or a
> subsystem tree"
> 
> am I missing something here?

No.  Prasad and I discussed this already in the Fedora bug.  It's fixed in Fedora and upstream.

https://bugzilla.redhat.com/show_bug.cgi?id=880147#c14
Comment 13 John Kacur 2013-01-10 16:36:18 UTC 
(In reply to comment #12)
> (In reply to comment #11)
> > (In reply to comment #10)
> > > In a surprising development, the patch returning -ELOOP to end the
> > > inadvertent recursions was removed from the -mm tree.
> > > 
> > >  -> http://www.spinics.net/lists/mm-commits/msg93063.html
> > > 
> > > Which means the issue still persists.
> > 
> > Huh? "This patch was dropped because it was merged into mainline or a
> > subsystem tree"
> > 
> > am I missing something here?
> 
> No.  Prasad and I discussed this already in the Fedora bug.  It's fixed in
> Fedora and upstream.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=880147#c14

Ok, I see that now.
However, two commits are referred to, one is upstream, and the other is still -mm as far as I can tell, is the upstream one enough to fix the problem, or do we need both?
Comment 14 Prasad Pandit 2013-01-11 06:56:35 UTC 
We need both. The second commit is on its way to upstream, will be there very soon.
Comment 15 Josh Poimboeuf 2013-01-11 14:05:03 UTC 
Actually, both patches have been committed upstream:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b66c5984017533316fd1951770302649baf1aa33
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d740269867021faf4ce38a449353d2b986c34a67
Comment 16 John Kacur 2013-01-14 19:13:53 UTC 
(In reply to comment #15)
> Actually, both patches have been committed upstream:
> 
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;
> h=b66c5984017533316fd1951770302649baf1aa33
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;
> h=d740269867021faf4ce38a449353d2b986c34a67

thanks!
Comment 17 errata-xmlrpc 2013-02-05 19:56:17 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0223 https://rhn.redhat.com/errata/RHSA-2013-0223.html
Comment 18 errata-xmlrpc 2013-03-06 19:25:29 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:0566 https://rhn.redhat.com/errata/RHSA-2013-0566.html
Note You need to log in before you can comment on or make changes to this bug.