Slashdot Mirror

← Back to Stories (view on slashdot.org)

Torvalds Creates Patch for Cross-Platform Virus

Posted by ryuzaki0 on from the just-here-to-make-things-work dept.

Newsforge is reporting that Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven that the virus does indeed not work with latest kernel version 2.6.16 and even released a patch in order to fix this "problem." From the article: "The reason that the virus is not propagating itself in the latest kernel versions is due to a bug in how GCC handles specific registers in a particular system call. [...] So the virus did a number of strange things to make this show up, but on the other hand the kernel does try to avoid touching user registers, even if we've never really _guaranteed_ that. So the 2.6.16 effect is a mis-feature, even if a _normal_ app would never care. It just happened to bite the infection logic of your virus thing."

14 of 195 comments (clear)

  1. Fix it? by gnuadam · · Score: 5, Informative

    I think you misunderstand. He fixed a flaw in the kernel that kept the virus from *working*. The patched systems should be vulnerable.

    --
    You say :wq, I say ZZ. Why can't we all just get along?
  2. Re:Does this mean... by Anakron · · Score: 5, Informative

    Yes. The kernel patch works around a bug in gcc. The patched systems are now *vulnerable*

    --
    There are 11 types of people. Those who understand binary, those who don't and those who are sick of this lame joke.
  3. Re:Does this mean... by Surt · · Score: 2, Informative

    This was marked funny, but unless I'm misreading the article, that is in fact what was done.

    --
    "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
  4. Incorrect title by cperciva · · Score: 5, Informative

    Linus did not create a patch for the virus. Linus created a patch for the Linux kernel, to fix a bug which happened to have been discovered by looking at the virus.

    Of course, if the story had been submitted with the correct title of "Linus fixes bug in Linux", it probably would never have been posted.

    --
    Tarsnap: Online backups for the truly paranoid
    1. Re:Incorrect title by Anonymous Coward · · Score: 5, Informative

      Sorry, it was not a bug in the kernel either. A correct title would be "Linus patches kernel with workaround for GCC bug uncovered by cross platform virus". RTFA next time smartass, MMmmmkay?

    2. Re:Incorrect title by cperciva · · Score: 4, Informative

      So there was a bug to be fixed anyway, and the virus just happened to uncover it?

      Yes -- and it's quite possible that this bug was affecting other code, but with programs any more complicated than a virus, nobody debugged far enough to figure out that it was a kernel bug.

      --
      Tarsnap: Online backups for the truly paranoid
    3. Re:Incorrect title by aqfire · · Score: 2, Informative

      You could say that Linus patched the Linux kernel "for" the virus, so that it would run better. ;)

    4. Re:Incorrect title by Anonymous Coward · · Score: 3, Informative

      Most specifically, GCC made an assumption about the kernel that should have been correct (won't touch user registers) but wasn't guaranteed to be correct, and as of 2.6.16 was no longer correct. The kernel was patched to restore the assumption to correctness, since it really was a reasonable assumption.

  5. Re:On the other hand... by pclminion · · Score: 3, Informative

    Are you an idiot? Linus patched the kernel so that the virus WOULD work. Why would he lie about it not working in the first place if he went ahead and fixed the problem?

  6. Re:mis-feature by dhasenan · · Score: 4, Informative

    The virus in question apparently wasn't infecting system files--it didn't have an elevation-of-privileges feature, so it couldn't access /bin, /usr, etc. (And /etc, too, though that's not relevant.)

    So if a 'virus' is using standard OS features that legitimate applications also use, and suddenly the virus stops working, there's obviously been a change, and it breaks those legitimate applications.

    In short, Torvalds didn't want to remove a feature without prior discussion.

  7. Grammar Nazi Strikes! by dhasenan · · Score: 1, Informative

    Linus created a patch because of the virus. Thus, he created the patch for the virus. That is the meaning used in the article title.

    What he patched was the Linux kernel. Thus, he created the patch for the kernel. You know this usage; however, it is not the only one. Your attempt at a correction was flawed.

  8. Really now? by Anonymous Coward · · Score: 2, Informative

    http://dictionary.reference.com/search?q=viruses

  9. Re:Bug Virus? by after+fallout · · Score: 5, Informative

    AFIAK, there is no actual exploit in the code provided. The virus only does things that a regular program should be able to do, given the correct permissions.

    The virus, written in assembly, calls the kernel via a depreciated interface (int 0x80 instead of syscall). It happens to have a value in the ebx register that it needs after the (buggy) system call.

    The bug in the kernel is due to the fact that gcc assumes the system call doesn't change user registers (which the kernel isn't suppossed to as a policy) so gcc forms code to make the system call in less time (less instructions, less overhead) by not caring about user registers. The fix for the bug simply restores the value of the ebx register to what it was before the system call, hence the bug now works (as it has the correct value in the ebx register).

  10. The virus itself uncovered what should be a bug! by dido · · Score: 3, Informative

    Basically, if I'm reading this correctly, the virus' correct operation depended on system calls to the Linux kernel keeping values of registers unchanged, which is the correct behavior. 2.6.16 broke this behavior, but since very little other code actually assumes this as well, we didn't get serious lossage, but we *might* for other code, and were the virus rewritten to not assume that register values were preserved by system calls, it might also work properly. At any rate, this virus would still have far less teeth on GNU/Linux than it would on Windows, unless someone was stupid enough to execute it as root. And well, if you're actually foolish enough to do something like that on GNU/Linux, then you're probably also foolish enough to enter rm -rf / or something equivalent as root at some point.

    --
    Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.