Bug 868285 (CVE-2012-4530) - CVE-2012-4530 kernel: stack disclosure in binfmt_script load_script()
Summary: CVE-2012-4530 kernel: stack disclosure in binfmt_script load_script()
Status: CLOSED ERRATA
Alias: CVE-2012-4530
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20120818,reported=2...
Keywords: Security
Depends On: 880145 880146 880147 880153 880154
Blocks: 866868
TreeView+ depends on / blocked
 
Reported: 2012-10-19 12:15 UTC by Prasad J Pandit
Modified: 2015-07-31 10:35 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-29 07:13:37 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0223 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2013-02-06 00:52:09 UTC
Red Hat Product Errata RHSA-2013:0566 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2013-03-07 00:24:01 UTC

Description Prasad J Pandit 2012-10-19 12:15:55 UTC
A memory disclosure flaw has been found in the way binfmt_script load_script()
function handled excessive recursions. An unprivileged local user could use
this flaw to leak kernel memory.

References:
 - http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
 - https://lkml.org/lkml/2012/8/18/75

Proposed upstream fix:
 - https://lkml.org/lkml/2012/9/23/29

Comment 1 Prasad J Pandit 2012-10-19 12:36:17 UTC
Statement:

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 5.

This issue did affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 6.

This issue did affect the version of Linux kernel as shipped with Red Hat Enterprise MRG 2.

Comment 2 Vincent Danen 2012-10-20 17:07:40 UTC
This has been assigned the name CVE-2012-4530.

Comment 3 Prasad J Pandit 2012-11-26 11:02:02 UTC
Upstream patches [1] and [2] together fix this flaw of memory disclosure.

[1] http://www.spinics.net/lists/mm-commits/msg92245.html
[2] http://www.spinics.net/lists/mm-commits/msg92433.html

References:
 - https://lkml.org/lkml/2012/11/18/142

Comment 5 Prasad J Pandit 2012-11-26 11:08:54 UTC
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 880147]

Comment 7 Fedora Update System 2012-12-01 08:28:04 UTC
kernel-3.6.8-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2012-12-07 04:26:04 UTC
kernel-3.6.9-4.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2012-12-18 02:34:40 UTC
kernel-3.6.10-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Prasad J Pandit 2012-12-19 06:28:35 UTC
In a surprising development, the patch returning -ELOOP to end the inadvertent recursions was removed from the -mm tree.

 -> http://www.spinics.net/lists/mm-commits/msg93063.html

Which means the issue still persists.

Comment 11 John Kacur 2013-01-09 16:38:56 UTC
(In reply to comment #10)
> In a surprising development, the patch returning -ELOOP to end the
> inadvertent recursions was removed from the -mm tree.
> 
>  -> http://www.spinics.net/lists/mm-commits/msg93063.html
> 
> Which means the issue still persists.

Huh? "This patch was dropped because it was merged into mainline or a subsystem tree"

am I missing something here?

Comment 12 Josh Boyer 2013-01-09 17:15:37 UTC
(In reply to comment #11)
> (In reply to comment #10)
> > In a surprising development, the patch returning -ELOOP to end the
> > inadvertent recursions was removed from the -mm tree.
> > 
> >  -> http://www.spinics.net/lists/mm-commits/msg93063.html
> > 
> > Which means the issue still persists.
> 
> Huh? "This patch was dropped because it was merged into mainline or a
> subsystem tree"
> 
> am I missing something here?

No.  Prasad and I discussed this already in the Fedora bug.  It's fixed in Fedora and upstream.

https://bugzilla.redhat.com/show_bug.cgi?id=880147#c14

Comment 13 John Kacur 2013-01-10 16:36:18 UTC
(In reply to comment #12)
> (In reply to comment #11)
> > (In reply to comment #10)
> > > In a surprising development, the patch returning -ELOOP to end the
> > > inadvertent recursions was removed from the -mm tree.
> > > 
> > >  -> http://www.spinics.net/lists/mm-commits/msg93063.html
> > > 
> > > Which means the issue still persists.
> > 
> > Huh? "This patch was dropped because it was merged into mainline or a
> > subsystem tree"
> > 
> > am I missing something here?
> 
> No.  Prasad and I discussed this already in the Fedora bug.  It's fixed in
> Fedora and upstream.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=880147#c14

Ok, I see that now.
However, two commits are referred to, one is upstream, and the other is still -mm as far as I can tell, is the upstream one enough to fix the problem, or do we need both?

Comment 14 Prasad J Pandit 2013-01-11 06:56:35 UTC
We need both. The second commit is on its way to upstream, will be there very soon.

Comment 16 John Kacur 2013-01-14 19:13:53 UTC
(In reply to comment #15)
> Actually, both patches have been committed upstream:
> 
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;
> h=b66c5984017533316fd1951770302649baf1aa33
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;
> h=d740269867021faf4ce38a449353d2b986c34a67

thanks!

Comment 17 errata-xmlrpc 2013-02-05 19:56:17 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0223 https://rhn.redhat.com/errata/RHSA-2013-0223.html

Comment 18 errata-xmlrpc 2013-03-06 19:25:29 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:0566 https://rhn.redhat.com/errata/RHSA-2013-0566.html


Note You need to log in before you can comment on or make changes to this bug.