Bug In Most Linuxes Can Give Untrusted Users Root
Red Midnight and other readers brought to our attention a bug in most deployed versions of Linux that could result in untrusted users getting root access. The bug was found by Brad Spengler last month. "The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable. While attacks can be prevented by implementing a common feature known as mmap_min_addr, the RHEL distribution... doesn't properly implement that protection... The... bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature. ... [Spengler] said many other Linux users are also vulnerable because they run older versions or are forced to turn off [mmap_min_addr] to run certain types of applications." The register reprints a dialog from the OpenBSD-misc mailing list in which Theo De Raadt says, "For the record, this particular problem was resolved in OpenBSD a while back, in 2008. We are not super proud of the solution, but it is what seems best faced with a stupid Intel architectural choice. However, it seems that everyone else is slowly coming around to the same solution."
Torvalds:
Am I missing something? Torvald's reply actually sounds pretty reasonable to me here. It might be nice if this exploit could be patched, but it seems a little preposterous to me that you could make that work in a way that doesn't leave an exploit. I'd say you need to be locking down your suid binaries more, not blaming kernel management.
What do you mean Windows requires it to work like this? On Windows accessing a NULL pointer is always an exception, no process is ever allowed to map the bottom page of memory. This has been true since Windows has existed. So in fact it is only Windows systems that are immune to this class of exploit because writing programs and kernel code vulnerable to it leads to an immediate crash.
If you wanted to specify this invariant on Linux you could, you'd just break some existing apps that depend on it. Ironically, it seems that Wine depends on this behavior.
Natural != (nontoxic || beneficial)