Slashdot Mirror

← Back to Stories (view on slashdot.org)

Torvalds Creates Patch for Cross-Platform Virus

Posted by ryuzaki0 on from the just-here-to-make-things-work dept.

Newsforge is reporting that Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven that the virus does indeed not work with latest kernel version 2.6.16 and even released a patch in order to fix this "problem." From the article: "The reason that the virus is not propagating itself in the latest kernel versions is due to a bug in how GCC handles specific registers in a particular system call. [...] So the virus did a number of strange things to make this show up, but on the other hand the kernel does try to avoid touching user registers, even if we've never really _guaranteed_ that. So the 2.6.16 effect is a mis-feature, even if a _normal_ app would never care. It just happened to bite the infection logic of your virus thing."

16 of 195 comments (clear)

  1. This is what we call geeks by microbee · · Score: 5, Insightful

    :)

  2. Fix it? by gnuadam · · Score: 5, Informative

    I think you misunderstand. He fixed a flaw in the kernel that kept the virus from *working*. The patched systems should be vulnerable.

    --
    You say :wq, I say ZZ. Why can't we all just get along?
    1. Re:Fix it? by FhnuZoag · · Score: 5, Funny

      Well, one more step towards making Linux ready for the desktop.

  3. Does this mean... by RealBothersome · · Score: 5, Funny

    ...that linux was patched so that the virus would now function as expected? I'd hate to think we left any program behind.

    1. Re:Does this mean... by Anakron · · Score: 5, Informative

      Yes. The kernel patch works around a bug in gcc. The patched systems are now *vulnerable*

      --
      There are 11 types of people. Those who understand binary, those who don't and those who are sick of this lame joke.
  4. Re:one-man army by rbochan · · Score: 5, Insightful

    what prevents each member of a programming group from having "complete mastery" of the kernel?

    2 words:

    middle management

    --
    ...Rob
    The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
  5. The Microsoft equivalent? by Foofoobar · · Score: 5, Funny

    Ok... now lets see Bill Gates issue his own patch. The clocks ticking Bill. :)

    --
    This is my sig. There are many like it but this one is mine.
  6. Incorrect title by cperciva · · Score: 5, Informative

    Linus did not create a patch for the virus. Linus created a patch for the Linux kernel, to fix a bug which happened to have been discovered by looking at the virus.

    Of course, if the story had been submitted with the correct title of "Linus fixes bug in Linux", it probably would never have been posted.

    --
    Tarsnap: Online backups for the truly paranoid
    1. Re:Incorrect title by Anonymous Coward · · Score: 5, Informative

      Sorry, it was not a bug in the kernel either. A correct title would be "Linus patches kernel with workaround for GCC bug uncovered by cross platform virus". RTFA next time smartass, MMmmmkay?

  7. This is EXACTLY why I run NetBSD by Anonymous Coward · · Score: 5, Funny

    I don't want to get enfected with any of them Windows viruses, Mac Worms, or Linux Diseases.
    So I run NetBSD
    On a VAX

    I'm slow, but I'm not infected.
    (that's what I tell my girl also)

  8. Re:Only 16 comments?! by AnalystX · · Score: 5, Funny

    Some of the "fanboys" are applying the new patch, and the rest are looking at the contents of your hard drive right now.

  9. Best part by slashflood · · Score: 5, Interesting

    from TFA:

    This lends support to the speculation that this virus is not new code at all, in spite of how Kaspersky Lab is trying to use it to drum up new business. [...] And shame on the anti-viral industry, Kaspersky Lab in particular, for its attempts to deceive the public by passing off old code as something new.

  10. More on Linus + virus by caffeination · · Score: 5, Interesting
    From Newsforge
    We sent an email to Linus Torvalds to let him know about our testing. He replied:

    That said, it sounds like it's a regular program that just happens to work on both Windows and Linux, and that happens to do things that are perfectly OK per se (i.e. writing to files that are owned by the user). So it's interesting just because of the "works on both Linux and Windows" angle, not because of any viral nature.

    This is a really good insight, I think. While the rest of us are thinking about the "virus" and wondering what it means for the future, Linus identifies all these ignored technical aspects.

    The power of a mind untouched by Slashdot?

  11. My answer by EmbeddedJanitor · · Score: 5, Funny

    Performance is only a small part of the issue. You have to look at the TCO of running viruses to appreciate Windows properly. With Linux it is far harder to run a virus and you've got to train all your users to chmod etc. With Windows it's much eaiser, just double click or drag and drop. Now that saves you a bundle in IT tech support when people ask "how do I install virus X on my PC. Further, with Windows you get a lot more choice. You can get a wide selection of popular viruses from easy to download sources. Linux is pretty short on choice, so if you switch to Linux you're limiting choice which is UnAmerican.

    --
    Engineering is the art of compromise.
  12. Re:Bug Virus? by after+fallout · · Score: 5, Informative

    AFIAK, there is no actual exploit in the code provided. The virus only does things that a regular program should be able to do, given the correct permissions.

    The virus, written in assembly, calls the kernel via a depreciated interface (int 0x80 instead of syscall). It happens to have a value in the ebx register that it needs after the (buggy) system call.

    The bug in the kernel is due to the fact that gcc assumes the system call doesn't change user registers (which the kernel isn't suppossed to as a policy) so gcc forms code to make the system call in less time (less instructions, less overhead) by not caring about user registers. The fix for the bug simply restores the value of the ebx register to what it was before the system call, hence the bug now works (as it has the correct value in the ebx register).

  13. Re:Bug Virus? by Harik · · Score: 5, Insightful
    You do realize that the virus wasn't calling the explot_to_gain_root() syscall, right? It was doing file I/O to a specific file that it had already opened and gained access to. And that failed, because of a GCC bug that caused the kernel to tromp on the userspace registers.

    In fact, it would bite any program doing direct syscalls rather then using libc, so it might break linux handwritten asm code as well.