Slashdot Mirror

← Back to Stories (view on slashdot.org)

Torvalds Creates Patch for Cross-Platform Virus

Posted by ryuzaki0 on from the just-here-to-make-things-work dept.

Newsforge is reporting that Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven that the virus does indeed not work with latest kernel version 2.6.16 and even released a patch in order to fix this "problem." From the article: "The reason that the virus is not propagating itself in the latest kernel versions is due to a bug in how GCC handles specific registers in a particular system call. [...] So the virus did a number of strange things to make this show up, but on the other hand the kernel does try to avoid touching user registers, even if we've never really _guaranteed_ that. So the 2.6.16 effect is a mis-feature, even if a _normal_ app would never care. It just happened to bite the infection logic of your virus thing."

53 of 195 comments (clear)

  1. mis-feature by Douglas+Simmons · · Score: 4, Insightful

    Gotta admire how Linus calls a spade a spade even when that spade is a Good Thing. Imagine how MS would spin this if it happened to them.

    1. Re:mis-feature by Anonymous Coward · · Score: 3, Interesting

      Imagine how /. is going to spin this as "not a linux problem".

    2. Re:mis-feature by shotfeel · · Score: 4, Interesting

      From TFA:

      Leave it to open source hackers to debug and fix aging viral code so that it works correctly.

      That's what I find amazing -fixing things so the virus will run properly.

    3. Re:mis-feature by dhasenan · · Score: 4, Informative

      The virus in question apparently wasn't infecting system files--it didn't have an elevation-of-privileges feature, so it couldn't access /bin, /usr, etc. (And /etc, too, though that's not relevant.)

      So if a 'virus' is using standard OS features that legitimate applications also use, and suddenly the virus stops working, there's obviously been a change, and it breaks those legitimate applications.

      In short, Torvalds didn't want to remove a feature without prior discussion.

  2. This is what we call geeks by microbee · · Score: 5, Insightful

    :)

  3. one-man army by caffeinemessiah · · Score: 2, Insightful
    goes to show that if one person has complete mastery over a piece of code (e.g. the kernel), and if they're decently competent, they should be able to fix it very quickly and very soon. imagine this floating around a programming group -- being passed from one person to the next, each with their partial understanding of the whole system.

    that's one up for good ol' fashioned hacking...

    --
    An old-timer with old-timey ideas.
    1. Re:one-man army by Skiron · · Score: 3, Insightful

      Not only the 'one' person, but a clean code base that makes a small fix. I expect the others would need a few hundred MB patch and lots of breakage/bundled/undocumented updates to fix it (as normal).

    2. Re:one-man army by rbochan · · Score: 5, Insightful

      what prevents each member of a programming group from having "complete mastery" of the kernel?

      2 words:

      middle management

      --
      ...Rob
      The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
  4. Fix it? by gnuadam · · Score: 5, Informative

    I think you misunderstand. He fixed a flaw in the kernel that kept the virus from *working*. The patched systems should be vulnerable.

    --
    You say :wq, I say ZZ. Why can't we all just get along?
    1. Re:Fix it? by Anonymous Coward · · Score: 3, Interesting

      yes, but it was a flaw in the operating system nonetheless. Just because a virus discovered the flaw doesn't mean the flaw shouldn't be fixed.

      If someone validates your website, and points out to you that it's invalid, do you complain that they use IE? No, you correct the page to make it valid again. (of course, it still won't work in IE, but c'est la vie)

    2. Re:Fix it? by FhnuZoag · · Score: 5, Funny

      Well, one more step towards making Linux ready for the desktop.

  5. Does this mean... by RealBothersome · · Score: 5, Funny

    ...that linux was patched so that the virus would now function as expected? I'd hate to think we left any program behind.

    1. Re:Does this mean... by Anakron · · Score: 5, Informative

      Yes. The kernel patch works around a bug in gcc. The patched systems are now *vulnerable*

      --
      There are 11 types of people. Those who understand binary, those who don't and those who are sick of this lame joke.
    2. Re:Does this mean... by Surt · · Score: 2, Informative

      This was marked funny, but unless I'm misreading the article, that is in fact what was done.

      --
      "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
    3. Re:Does this mean... by skiman1979 · · Score: 3, Insightful

      Well I guess from a software development standpoint, "fixing" the kernel would be the right thing to do. True, this fix does allow the virus to propagate, but the fix makes the kernel work properly. A virus is a program after all, and it should work properly in the operating system just like any other piece of software. :-)

      --
      Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
    4. Re:Does this mean... by arodland · · Score: 2, Funny

      +1 Not Fantastically Stupid Like Everyone Else Today

      Slashdot needs this moderation option almost as much as it needs

      -1 Just Plain Obviously Wrong Stuff Quoted as Fact

  6. So does this "bug" count by EraserMouseMan · · Score: 4, Funny

    as a patch or a bug or a buggy patch?

    1. Re:So does this "bug" count by Winlin · · Score: 2, Funny

      A patchy bug.

    2. Re:So does this "bug" count by dgatwood · · Score: 2, Funny
      No, Apache bug is how they gained local access to run the exploit codein the first place.

      :-D

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  7. Next week: by moochfish · · Score: 4, Funny

    Next week: "Torvalds Patches Kernel Against Cross-Platform Virus"

  8. Re:On the other hand... by DrJimbo · · Score: 2, Insightful
    AC said:
    If Bill Gates had said that he proved this virus doesn't work on Windows, we're supposed to believe him, too?
    Sure, if he shows us the source code.

    --
    We don't see the world as it is, we see it as we are.
    -- Anais Nin
  9. A bug is a bug. by Spy+der+Mann · · Score: 3, Interesting

    Who says this bug didn't mess up with WINE libs, preventing OTHER programs from working correctly?

    Of course, we'll need a sandbox patch or something BEFORE windows viruses start affecting WINE+linux :)

  10. The Microsoft equivalent? by Foofoobar · · Score: 5, Funny

    Ok... now lets see Bill Gates issue his own patch. The clocks ticking Bill. :)

    --
    This is my sig. There are many like it but this one is mine.
    1. Re:The Microsoft equivalent? by InsaneGeek · · Score: 2, Funny

      Microsoft's patch was already done way before Linus's, being the forward thinkers they are they made sure to be in front of the "make sure to get infected" chess game. Linus had to play catchup with this patch to make sure it Linux continues to get infected.

  11. Incorrect title by cperciva · · Score: 5, Informative

    Linus did not create a patch for the virus. Linus created a patch for the Linux kernel, to fix a bug which happened to have been discovered by looking at the virus.

    Of course, if the story had been submitted with the correct title of "Linus fixes bug in Linux", it probably would never have been posted.

    --
    Tarsnap: Online backups for the truly paranoid
    1. Re:Incorrect title by Anonymous Coward · · Score: 5, Informative

      Sorry, it was not a bug in the kernel either. A correct title would be "Linus patches kernel with workaround for GCC bug uncovered by cross platform virus". RTFA next time smartass, MMmmmkay?

    2. Re:Incorrect title by cperciva · · Score: 4, Informative

      So there was a bug to be fixed anyway, and the virus just happened to uncover it?

      Yes -- and it's quite possible that this bug was affecting other code, but with programs any more complicated than a virus, nobody debugged far enough to figure out that it was a kernel bug.

      --
      Tarsnap: Online backups for the truly paranoid
    3. Re:Incorrect title by aqfire · · Score: 2, Informative

      You could say that Linus patched the Linux kernel "for" the virus, so that it would run better. ;)

    4. Re:Incorrect title by Anonymous Coward · · Score: 3, Informative

      Most specifically, GCC made an assumption about the kernel that should have been correct (won't touch user registers) but wasn't guaranteed to be correct, and as of 2.6.16 was no longer correct. The kernel was patched to restore the assumption to correctness, since it really was a reasonable assumption.

    5. Re:Incorrect title by abb3w · · Score: 2, Insightful
      Technically, it appears to be a bug in GCC - Linus patched the kernel to work around the bug.

      Actually, it's easy to make a case that both had bugs. GCC made the assumption that the Kernel does not mess with user registers. Since the assumption was wrong (and not required to be true under the kernel spec), it is a bug in the compiler. Since the assumption was reasonable (although not required), it is a bug (or at least a wart) in the kernel. Hopefully, the GCC will eventually get patched, too.

      --
      //Information does not want to be free; it wants to breed.
  12. You don't really know that it is a good thing by einhverfr · · Score: 2, Insightful

    If it is a bug in the ABI relating to the kernel, you may have a problem. Binary apps such as those old Loki-ported games, or binary apps such as Oracle might have odd problems.

    So it really is a good thing to patch.

    Just because a bug is uncovered by a virus doesn't mean that it is not a bug.

    --

    LedgerSMB: Open source Accounting/ERP
  13. This is EXACTLY why I run NetBSD by Anonymous Coward · · Score: 5, Funny

    I don't want to get enfected with any of them Windows viruses, Mac Worms, or Linux Diseases.
    So I run NetBSD
    On a VAX

    I'm slow, but I'm not infected.
    (that's what I tell my girl also)

  14. My question... by tktk · · Score: 4, Funny

    I know it was a proof of concept but... does the virus perform better on Windows or Linux?

  15. Re:Only 16 comments?! by AnalystX · · Score: 5, Funny

    Some of the "fanboys" are applying the new patch, and the rest are looking at the contents of your hard drive right now.

  16. Re:On the other hand... by pclminion · · Score: 3, Informative

    Are you an idiot? Linus patched the kernel so that the virus WOULD work. Why would he lie about it not working in the first place if he went ahead and fixed the problem?

  17. Viruses on Linux ??? by ravee · · Score: 3, Funny

    I think the viruses cause damage only if the person uses his machine logged in as root. If he is logged in as an ordinary user, I wonder how it is going to make a difference? At the most, some of his personal files may be modified or his keystrokes logged or the virus may use his machine to propagate to other machines. So what is the hoopla about this proof of concept virus which was created in a lab in some anti-virus company? I suspect this is a conspiracy of these anti-virus companies to stay afloat by creating a buzz about a virus in Linux.

    --
    Linux Help
    for all things on Linux
    1. Re:Viruses on Linux ??? by Phroggy · · Score: 2, Insightful

      For a typical home user, malware that wipes out the user's home directory can be absolutely devastating, while malware that only wipes out the operating system isn't really a big deal. The OS can be reinstalled fairly easily. Most of your personal data probably isn't backed up.

      --
      $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
      $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  18. Best part by slashflood · · Score: 5, Interesting

    from TFA:

    This lends support to the speculation that this virus is not new code at all, in spite of how Kaspersky Lab is trying to use it to drum up new business. [...] And shame on the anti-viral industry, Kaspersky Lab in particular, for its attempts to deceive the public by passing off old code as something new.

  19. Gee. by ultramk · · Score: 4, Funny

    Newsforge is reporting that Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven that the virus does indeed not work with latest kernel version 2.6.16 and even released a patch in order to fix this "problem."

    Oh, um... Well, hmmm.

    Thanks, Linus. I guess.

    m-

    --
    You catch enchiladas by picking them up behind the head and holding them underwater until they don't kick anymore -VeGas
  20. Goal :)? by suv4x4 · · Score: 4, Funny

    Today, we fix Linux to support a cross-platform virus, tommorow: support for Windows viruses.

  21. More on Linus + virus by caffeination · · Score: 5, Interesting
    From Newsforge
    We sent an email to Linus Torvalds to let him know about our testing. He replied:

    That said, it sounds like it's a regular program that just happens to work on both Windows and Linux, and that happens to do things that are perfectly OK per se (i.e. writing to files that are owned by the user). So it's interesting just because of the "works on both Linux and Windows" angle, not because of any viral nature.

    This is a really good insight, I think. While the rest of us are thinking about the "virus" and wondering what it means for the future, Linus identifies all these ignored technical aspects.

    The power of a mind untouched by Slashdot?

  22. Really now? by Anonymous Coward · · Score: 2, Informative

    http://dictionary.reference.com/search?q=viruses

  23. Re:Bug Virus? by JamesTRexx · · Score: 2, Insightful

    Yes, behold the beauty of the power of open source. Bugs get fixed quickly, even bugs that deal with virusses.

    --
    home
  24. Now that's bug compatibility by TekPolitik · · Score: 3, Funny

    A patch to make sure a virus runs gives a whole new meaning to the term "bug compatible".

  25. My answer by EmbeddedJanitor · · Score: 5, Funny

    Performance is only a small part of the issue. You have to look at the TCO of running viruses to appreciate Windows properly. With Linux it is far harder to run a virus and you've got to train all your users to chmod etc. With Windows it's much eaiser, just double click or drag and drop. Now that saves you a bundle in IT tech support when people ask "how do I install virus X on my PC. Further, with Windows you get a lot more choice. You can get a wide selection of popular viruses from easy to download sources. Linux is pretty short on choice, so if you switch to Linux you're limiting choice which is UnAmerican.

    --
    Engineering is the art of compromise.
  26. Re:Bug Virus? by after+fallout · · Score: 5, Informative

    AFIAK, there is no actual exploit in the code provided. The virus only does things that a regular program should be able to do, given the correct permissions.

    The virus, written in assembly, calls the kernel via a depreciated interface (int 0x80 instead of syscall). It happens to have a value in the ebx register that it needs after the (buggy) system call.

    The bug in the kernel is due to the fact that gcc assumes the system call doesn't change user registers (which the kernel isn't suppossed to as a policy) so gcc forms code to make the system call in less time (less instructions, less overhead) by not caring about user registers. The fix for the bug simply restores the value of the ebx register to what it was before the system call, hence the bug now works (as it has the correct value in the ebx register).

  27. Re:Bug Virus? by Harik · · Score: 5, Insightful
    You do realize that the virus wasn't calling the explot_to_gain_root() syscall, right? It was doing file I/O to a specific file that it had already opened and gained access to. And that failed, because of a GCC bug that caused the kernel to tromp on the userspace registers.

    In fact, it would bite any program doing direct syscalls rather then using libc, so it might break linux handwritten asm code as well.

  28. AT MOST HIS PERSONAL FILES ????? by Anonymous Coward · · Score: 2, Insightful

    if id lose all my personal files (mails, mp3s, documents, code) that would suck man. my root-owned files .... pfft, id just re-install the damn distro

  29. The virus itself uncovered what should be a bug! by dido · · Score: 3, Informative

    Basically, if I'm reading this correctly, the virus' correct operation depended on system calls to the Linux kernel keeping values of registers unchanged, which is the correct behavior. 2.6.16 broke this behavior, but since very little other code actually assumes this as well, we didn't get serious lossage, but we *might* for other code, and were the virus rewritten to not assume that register values were preserved by system calls, it might also work properly. At any rate, this virus would still have far less teeth on GNU/Linux than it would on Windows, unless someone was stupid enough to execute it as root. And well, if you're actually foolish enough to do something like that on GNU/Linux, then you're probably also foolish enough to enter rm -rf / or something equivalent as root at some point.

    --
    Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
  30. Great new slogan for Linux by myxiplx · · Score: 2, Funny

    Linux: So secure we have to patch it to make viruses run.

  31. Hmmm A patch is a patch by Anon-Admin · · Score: 2

    So let me get this right, Windows viruses exploit bugs in windows to work and windows has to patch the bugs to stop the virus.

    In Linux the virus uses proper programing methodology to work, exposes a bug in the 2.6.16 kernel and will not run on 2.6.16, which Linus fixes. So now the virus works across the borad.

    This seems to boil down to.

    Windows == Oh my god a virus, quick fix the bug and stop the virus.

    Linux == Hmmm, it works everywhere expect on the 2.6.16 kernel. Lets fix the kernel and make it work on all linux systems.

    I guess it just shows that even a well writen virus on linux is no real threat.

  32. Re:armageddon by microbee · · Score: 2, Insightful
    Well, technically it's the title, not the smiley, but who cares? Certainly how a posting is modded is more important than the topic itself, isn't it?

    What I tried to imply is this mental picture: someone posted a virus for Linux, and Linus wasn't worried about PR or any implication of "Linux is insecure". Instead, he was worried about a kernel/gcc bug that was exposed by the virus, although the bug actually could help to defeat the virus. And he went on to fix the bug and let the virus run.

    This is quite a picture that shows how a geek reacts. He only sees the technical side of everything and is honest about it. No politics, no B.S. And here comes the title: this is what we call geeks. It's getting silly to have to elaorate. I thought people would get it, although I wasn't expecting either an OT or an Insightful. But with both replies to my posting arguing how it should have been modded, it seems I have to do this silly thing. I should remember that insightfulness surely is related to length of the text.

  33. HA! Pro-linux apotheocratic cult by mrcolj · · Score: 2, Funny

    Newsforge is reporting that Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven...

    HA! I know Slashdot is cultishly pro-linux, but the bias above is hilarious! I keep hearing Mr. Subliminal saying "Linus Torvalds (God) took a few minutes (every person in Seattle has been working at this individually and collectively this for weeks...) to prove (Bill Gates is just making stuff up, but anything Linus spends a few minutes perusing is proven. Oh, and despite the mobs developing Linux, )"

    --
    --Colin Jensen
    colinandbethany.com