From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752694Ab2KPSAi (ORCPT ); Fri, 16 Nov 2012 13:00:38 -0500 Received: from mail-oa0-f46.google.com ([209.85.219.46]:41620 "EHLO mail-oa0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752106Ab2KPSAg (ORCPT ); Fri, 16 Nov 2012 13:00:36 -0500 MIME-Version: 1.0 In-Reply-To: References: <20121024232032.GA31129@www.outflux.net> <20121025041620.GH2616@ZenIV.linux.org.uk> <20121025120952.GI2616@ZenIV.linux.org.uk> <20121025123843.GJ2616@ZenIV.linux.org.uk> <20121026183601.GR2616@ZenIV.linux.org.uk> Date: Fri, 16 Nov 2012 10:00:35 -0800 X-Google-Sender-Auth: tzLIYYkJIQMckPQs6tH2JRobrCk Message-ID: Subject: Re: [PATCH] exec: do not leave bprm->interp on stack From: Kees Cook To: P J P Cc: Al Viro , linux-kernel@vger.kernel.org, Andrew Morton , Josh Triplett , Serge Hallyn , linux-fsdevel@vger.kernel.org, halfdog Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 16, 2012 at 4:50 AM, P J P wrote: > > Hello folks, > > +-- On Mon, 12 Nov 2012, Kees Cook wrote --+ > | > Al, what's your take on the *rare* extra call to request_module? > | > | Without any other feedback, I'd like to use my minimal allocation > | patch, since it fixes the problem and doesn't change any of the > | semantics of how/when loading happens. > > I did apply and test this patch with kernel-3.5.3 on my machine. Now it > seems to disclose dynamically allocated(kstrdup) bytes, instead of the call > stack bytes. Recursions still dodge and exceed the limit of > BINPRM_MAX_RECURSION(4). > > Please pardon my asking, but - how is this a fix? Hrm? It should be showing only the live heap-allocated interp -- are you seeing uninitialized contents? -Kees -- Kees Cook Chrome OS Security