Hole In Linux Kernel Provides Root Rights

oztiks writes with this excerpt from The H: "A vulnerability in the 32-bit compatibility mode of the current Linux kernel (and previous versions) for 64-bit systems can be exploited to escalate privileges. For instance, attackers can break into a system and exploit a hole in the web server to get complete root (also known as superuser) rights or permissions for a victim's system. According to a report, the problem occurs because the 32-bit call emulation layer does not check whether the call is truly in the Syscall table. Ben Hawkes, who discovered the problem, says the vulnerability can be exploited to execute arbitrary code with kernel rights. ... Hawkes says the vulnerability was discovered and remedied back in 2007, but at some point in 2008 kernel developers apparently removed the patch, reintroducing the vulnerability. The older exploit apparently only needed slight modifications to work with the new hole."

Serve them right

That's why those of us in the know stick to 8-bit Linux kernal.

Re:Serve them right

Those of us in the know think you are referring to a UNIX breed...not Linux which was i386...

Re:Serve them right

Yes, LUNIX.

Re:Serve them right

[spartacus_prime]

8 bits oughta be enough for everyone!

Re:Serve them right

[iGaucho]

And that's why I use OpenBSD :)

Re:Serve them right

I thought that was because you were a pretentious wanker?

Re:Serve them right

[Nethead]

http://en.wikipedia.org/wiki/UniFLEX

Re:Serve them right

[pem]

Also Cromix

Re:Serve them right

[DiegoBravo]

Thank you Adobe! you saved my machine!

Re:Serve them right

I have a binary kernel. It's either popped or not.

Of course I once tried to pop it using radioactive isotopes and left myself eternally wondering.

Re:Serve them right

no, just no

Re:Serve them right

[Nethead]

Ah, Cromemco. All us hobbyist types drooled over their industrial offerings.

Re:Serve them right

[Jawcracker+Fuzz]

Also Wanker

Re:Serve them right

Because no one gives a fuck what OS some random goofball uses?

Re:Serve them right

[jamesh]

And those even more in the know use a two-bit operating system like Windows :)

Re:Serve them right

No I'm a pretentious wanker. He's just a BSD user!

Re:Serve them right

[Idiomatick]

1 bit operating systems are totally impossible to infect though.

Re:Serve them right

[jc42]

And that's why I use OpenBSD :)

I thought that was because you were a pretentious wanker?

It's quite possible to have two independent reasons for doing something.

Re:Serve them right

[MobileTatsu-NJG]

And that's why I use OpenBSD :)

I thought that was because you were a pretentious wanker? (Score:2, Insightful)

I'm sorry, but as a Windows guy, it's really hard to watch a Linux guy get annoyed at somebody else bragging about their chosen OS's superiority and not have a chuckle about it.

Re:Serve them right

[calidoscope]

While OpenBSD doesn't have a perfect record for security, it is a heck of a lot better than Linux. OTOH, Linux is often the better choice for desktop usage when security is not an issue.

Theo seems enough of an anal-retentive to make sure a security patch stays in the source tree.

Re:Serve them right

[grcumb]

1 bit operating systems are totally impossible to infect though.

That's true!

... Or false...

Re:Serve them right

[buchner.johannes]

I would like to know if SELinux, grsecurity, PAX or some other hardened Linux measure would have prevented this privilege escalation.
SELinux tracks how the user logged in, and always looks at this security context. If I am not mistaken, when configured correctly, e.g. a webserver would not be able to do actions as root, even in the case of privilege escalation.

Re:Serve them right

[x2A]

I remember that! Where Linux used jiffies as its unit of time, it instead used lunitix

Re:Serve them right

[Kymermosst]

Linux is often the better choice for desktop usage when security is not an issue.

Security is *always* an issue. Especially on the desktop. One merely needs to look at the large botnets comprised entirely of zombie Windows machines to understand why.

Re:Serve them right

[allaunjsilverfox2]

http://lng.sourceforge.net/ Always provide your sources. :p

Re:Serve them right

[Gordonjcp]

While OpenBSD doesn't have a perfect record for security

OpenBSD has got a *terrible* record for security. The illusion of security is only maintained because every time someone discovers a gaping exploit in OpenBSD, Theo moves the goalposts on what he considers a security hole. Just look at all the descriptions of "errata" for OpenBSD - bugfixes for security holes!

Theo is like that kid who, no matter what game you were playing, would always start making up bullshit rules whenever he started losing. Like, "Tag! You're it!" "No I'm not it, that tag didn't count because I'm uh... I'm near this rock".
Don't be that kid. That kid is a dick.

Re:Serve them right

[evanism]

Hey, I'm a Windows Zombie and I feel you are discriminating against me. Is this because of braaaiiinnnssss?

Re:Serve them right

[Compaqt]

That's it, forget Linux, I'm moving to GNU HURD.

2012: The Year of the HURD Desktop.

Re:Serve them right

[jedidiah]

> Security is *always* an issue. Especially on the desktop. One merely needs to look at the large botnets comprised entirely of zombie Windows machines to understand why.

However, the obsession with it the exclusion of all else might not be wise considering that neither Linux nor MacOS are in those botnets.

It's like using a Yugo to argue the need to drive a tank down to the corner grocery.

It's not just the bugs, it's also the overall design.

Re:Serve them right

2201: The Year of the HURD Desktop.

FTFY, though I admit I may be being a tad optimistic there.

Re:Serve them right

[the_brobdingnagian]

Get your facts straight: We OpenBSD users are a bunch of masturbating monkeys.

Re:Serve them right

I would like to know if SELinux, grsecurity, PAX or some other hardened Linux measure would have prevented this privilege escalation.
SELinux tracks how the user logged in, and always looks at this security context. If I am not mistaken, when configured correctly, e.g. a webserver would not be able to do actions as root, even in the case of privilege escalation.

No it would not. From the SELinux perspective, its the kernel doing the action and not the webserver account. Also, SELinux doesn't control what syscalls can be invoked.

Its interesting that one of these so called "many-eyes that generate better code", probably removed the patch not understanding why it was there in the first place.

Re:Serve them right

[jd]

I suggest you look up the Sherman Tank sketch from Kenny Everett's television show. It does indeed use a cheap car to demonstrate the need to drive a tank down to the grocery store.

Re:Serve them right

[geminidomino]

Get your facts straight: We OpenBSD users are a bunch of masturbating monkeys.

I thought that was going to be Ubuntu 10.10

Re:Serve them right

This is why I use grsecurity.

From gentoo-hardened list "If you enable CONFIG_PAX_MEMORY_UDEREF=y, the
exploits fail even with access to symbol info. If possible, I would
also recommend enabling CONFIG_PAX_KERNEXEC=y."

Re:Serve them right

[redbaritone]

I thought that was because you were a pretentious wanker?

His wanker is only 2-bit. Can't beat that!

Perhap the kernel's size is becoming too unweildy

I mean this is what, the third 'reverted' security patch we've heard about in the recent past that needed replacement?

Maybe it's time to seperate out core kernel code and the arch specific stuff into seperate modules with seperate administration. Git would make this easy, so why aren't we seeing it done?

Patch

For those who compile from source, here is the patch:

---kernel.c
+++kernel.c
@@ -1,1 +1,1 @@
- void goatse(long cx) {
+ void goatse(int cx) {

The change from long to int closes the massive hole.

Re:Patch

[leromarinvit]

Shouldn't that be a char? After all, an int can still be 2^31-1, so depending on the units used, it would still be a pretty huge hole.

Re:Patch

[Kjella]

No, it should be a boolean, inscribed to false in stone - or at least ROM, and none of the rewritable kind.

Re:Patch

[lennier1]

Let's just settle on a boolean value (open|closed).

Re:Patch

[leromarinvit]

And, alas, the way the memory-conscious C programmer would store that single boolean is a char. Of course, if you wanted to have a beowulf cluster of massive holes, you'd use bit fields or manual bit arithmetic.

Re:Patch

char is also system specific and could be 2^31-1 on a system with 32bit characters.
Use short for something less than long.
For bytes you will have to define your own types or include someone elses.

Re:Patch

[fnj]

Patch contains an even worse vulnerability. It renders your system a piece of crap.

Re:Patch

A piece of crap that's compatible with a rather wide variety of consumer software.

(Though I'll admit that I really don't use most of it.)

Re:Patch

[optikos]

On a system with 32-bit characters because ISO9899-bytes are 32-bit on that processor, for octets you will have to define your own types or include someone elses.

There, I fixed that for you.

DSPs are the typical processor with 32-bit chars. On DSPs, as per ISO9899, if chars are 32-bit because bytes are 32-bit (because 32-bit bytes are the smallest addressable unit of memory as each memory address is incremented by one), then short and int is 32-bit as well. As per ISO9899, none of {long long, long, int, short} can be smaller than a char, because by definition that smaller-than-char thing would nullify the claim that 32-bit bytes as chars are the smallest addressable unit.

Re:Patch

If I had mod points, I'd give this a Funny

Then again, I suppose the reason it's funny is because I administer quite a few Windows and Linux boxes, so I read quite a lot of sarcasm into this troll – "patching" Linux with Win7 is like shooting a radio to "fix" the crappy music coming out; come to think of it, that's giving way too much credit to Win7.

It's called humor, you should try it.

Re:Patch

Oh man, goatse is finally funny.

Re:Patch

And, alas, the way the memory-conscious C programmer would store that single boolean is a char.

The Linux kernel compiled by gcc uses a 4-byte aligned stack frame, so this optimization gets you nothing...

But more generally, use bool unless you have a good reason to save space, e.g. bool[100000] might be a bad idea, but a single bool on the stack as either a function argument or a local variable isn't going to hurt, and using char instead may lead to a slight performance degradation versus bool due to alignment issues (that are beyond my understanding).

There's a reason gcc implements sizeof(bool) > 1. I don't claim to understand what it is, but I do know that gcc developers are smarter than me...

Re:Patch

Patch contains an even worse vulnerability. It renders your system a piece of crap.

Cool... I've been looking for some 3D rendering software that can render piles of manure.

Re:Patch

@Kjella once you see #goatse, that memory will never be lost or overwritten

Re:Patch

[larry+bagina]

The C standard doesn't specify sizes but requires that

sizeof(long) >= sizeof(int) >= sizeof(short) >= sizeof(char)

so if a char is 32-bit, a short must be 32-bit (or more) as well. C-99's <stdint.h>, requires typedefs (eg, uint8_t, int8_t) for 8, 16, and 32-bit signed and unsigned integers.

Re:Patch

[sconeu]

How did the TI 340x0 series deal with it? It was a *bit-addressable* machine, but char was 8 bits. They shipped an (allegedly) ISO compliant C89 compiler for it.

Re:Patch

why would you want to plug a hole that big? We gophers shy away from holes that big because they usually contain beasts known as gonorrhea, herpes, and girls from the south.

Re:Patch

[Bing+Tsher+E]

And, alas, the way the memory-conscious C programmer would store that single boolean is a char.

What a waste. A char is an array of bits, you know. Or do I just dwell too much in assembler?

Re:Patch

[Bungie]

I might be wrong but it's probably because the only character code you can fit into a single bit of memory is SOH. ASCII characters use 8 bits of memory for a single character which is what char was origionally designated for (storing a character).

Re:Patch

What the heck are you talking about

$ cat bool.C
#include
int main()
{
                std::cout
int main()
{
                std::cout

Re:Patch

Argh slashcode eat my code! Can't you quote unknown HTML-Tags!?
Anyway, sizeof(bool) is 1 as can be seen by this little piece of code:

$ cat bool.C
#include <iostream>
int main()
{
                std::cout << sizeof(bool) << std::endl;
}
$ g++ -Wall -O3 bool.C
$ ./a.out
1

Re:Patch

[ArsenneLupin]

Shouldn't that be void goatse(thick cx)?

Long may reach further, but it doesn't really close the hole.

Re:Patch

[leromarinvit]

Sure, but if all you want is a single boolean, a single byte is still the smallest unit you get. Of course, you're free to use the remaining bits for something else.

Re:Patch

[msclrhd]

Don't you mean true|false|FileNotFound -- http://thedailywtf.com/Articles/What_Is_Truth_0x3f_.aspx

Re:Patch

[Simon80]

C, C++, and other languages are an abstraction of what actually happens in the executable, OS, and hardware. Not everything that the abstraction exposes has a one to one mapping with what is going on in the layers below. Ignoring this fact can result in code that is very expensive for the language to implement. There isn't always one right way to implement something like an array of booleans that works best in every use case, and the compiler usually doesn't know as much about usage in a given context as you do.

Re:Patch

[lennier1]

It's more a matter of principle.
Just looks cleaner to use a boolean value for this, even if you can't reserve anything smaller than a nibble for storage.

Re:Patch

[Your.Master]

This is all true, the problem is that the GGGP said sizeof(bool) > 1 which is false.

What is true is that:

struct nobool
{
        int a;
};

struct hasbool
{
        int a;
        bool b;
};

struct hastwobools
{
        int a;
        bool b;
        bool c;
};

sizeof(hasbool) - sizeof(nobool) > 1. So that is fun. But the GGGP misses that sizeof(hastwobools) - sizeof(hasbool) = 0, generally speaking. Thus, that's not why bool[100000] is a bad idea, since it works out the same as char[100000]. Though it's still probably a bad idea: how often is a 100kB bool array a good idea, especially on the stack as is implied above?

(yes, I know structs can have different alignment rules than stack frame alignment rules, but it seems like the easiest way to make the point).

Re:Patch

[Tacvek]

There would be several options. A C compiler could pretend that it was a byte addressable machine, and just never generate code that generates addresses without the last 3 address bits being all zeros.

That would be the easiest option.

On a side note: The 386 is byte addressable, but has alignment concerns, meaning that loading an int from a non-multiple of 4 address is possible with a single instruction, but it is slower than loading it from a multiple of four address. Did the TI 340x0 series have similar alignment concerns?

Re:Patch

[Tacvek]

The C99 standard does specify a few minimum sizes for some of those though. For example, char must be at least 8 bit.

Re:Patch

But how are you going to eat the shit then...cause we all know your a shit eater.

Re:Patch

[sconeu]

It's been about 15 years since I played with it, so I'm afraid I don't recall.

Sorry.

Re:Perhap the kernel's size is becoming too unweil

[siride]

You're talking about git submodules and I'm gonna go ahead and guess that the answer you'll receive from the kernel folks about that is a big fat "no". Maybe if Git had usable project hierarchies, things might be different.

Also to note: even Git can't fix stupid policy or stupid programming decisions.

Breaking News

Linux Kernel used to have hole that provided root rights.

Doesn't work

[93+Escort+Wagon]

For instance, attackers can break into a system and exploit a hole in the web server to get complete root (also known as superuser) rights or permissions for a victim's system.

Something must be wrong with my Linux - this "superuser" account doesn't appear to exist.

$ su - superuser
su: user superuser does not exist
$

Re:Doesn't work

AC, I think you need to double-check your embedded humor sensor. It appears to be broken.

Re:Doesn't work

[gravyfaucet]

try
$ su - mild_mannered_reporter

that should put you on the scent

Re:Doesn't work

[93+Escort+Wagon]

You are too stupid to live....

I guess for people like you, next time I need to add...

*** BEGIN JOKE ***

and

*** END JOKE ***

If that's still not enough - I can incorporate the blink tag and some colored fonts.

Re:Doesn't work

It's called a Fishing Expedition, bitch.

Re:Doesn't work

[TheRaven64]

protip: If you need markup to indicate your joke, you might be using a different definition of 'joke' to your readers.

Re:Doesn't work

[Runaway1956]

Don't you have to create the account if the installer forgets it? That's what I do on all my machines! /end offtopic bullshit response here

Re:Doesn't work

[optikos]

Most of those of us who have taught other people for decades 1) that the "su" command stands for "switch user" not for "super user" and 2) that root is the proper term and 3) that anyone who uses the term "superuser" is displaying a certain degree of ignorance have given up. Perhaps you should too.

Re:Doesn't work

protip: using "protip" makes you look like a douche.
 
Also, nothing wrong with the joke in question. The real problem is that the three hundred or so real geeks on slashdot have to deal the inane comments and inappropriate moderation from the hundreds of thousands of wannabes that infest slashdot these days.

Re:Doesn't work

[X0563511]

Indeed.

Who the fuck calls that superuser?

Re:Doesn't work

What's so funny about the word and?

Re:Doesn't work

[glwtta]

People who like to surf the information superhighway?

Re:Doesn't work

[e9th]

The most desirable identity for the intruder to assume is that of the super-user. System administrators acquire super-user privileges by executing a program called su.

-- F. T. Grampp* and R. H. Morris*, UNIX Operating System Security, AT&T Bell Lab. Tech. J., 63, No. 8 Pt. 2 (October 1984), p. 1660.

*AT&T Bell Laboratories.

Re:Doesn't work

[Bing+Tsher+E]

Is this R. H. Morris the dude whose son is Robert Morris?

I suspect so.

Re:Doesn't work

[Bing+Tsher+E]

Who the fuck calls that superuser?

All I had to do was turn around and reach at the bookshelf behind me:

"But we must warn you: there is a special user on every UNIX system, called the super-user, who can read or modify any file on the system. The special loginm name root carries super-user privledges...."

from page 52, "The UNIX Programming Environment", Brian W. Kernigan & Robert Pike, Prentice Hall, 1984.

Re:Doesn't work

[e9th]

Indeed he is.

Re:Doesn't work

protip: That's usually the goal.

Re:Doesn't work

[x2A]

cd /usr/src/linux &&
grep -ilE 'super.?user' `find . -iname *.[ch]`

arch/avr32/mm/cache.c
arch/h8300/include/asm/cachectl.h
arch/ia64/kernel/unaligned.c
arch/m68k/include/asm/cachectl.h
arch/m68k/kernel/sys_m68k.c
arch/parisc/hpux/sys_hpux.c
arch/x86/kernel/apm_32.c
arch/x86/kernel/ioport.c
drivers/char/apm-emulation.c
drivers/char/rio/errors.h
drivers/char/rio/rioctrl.c
drivers/net/wireless/airo.c
drivers/scsi/megaraid.c
drivers/scsi/megaraid/megaraid_mm.c
drivers/staging/vt6655/iwctl.c
drivers/staging/vt6656/iwctl.c
fs/cachefiles/daemon.c
fs/ext4/mballoc.c
fs/fcntl.c
fs/namei.c
fs/ntfs/super.c
fs/smbfs/file.c
fs/ubifs/budget.c
fs/ufs/ufs_fs.h
fs/unionfs/sioq.c
fs/utimes.c
fs/xfs/quota/xfs_qm.c
fs/xfs/quota/xfs_qm_syscalls.c
fs/xfs/xfs_quota.h
include/linux/acct.h
include/linux/dqblk_xfs.h
include/linux/fd.h
include/linux/keyboard.h
include/linux/random.h
include/linux/sched.h
include/linux/shm.h
include/net/sock.h
kernel/kexec.c
kernel/sys.c
kernel/sysctl.c
kernel/time/ntp.c
mm/mempolicy.c
mm/migrate.c
mm/oom_kill.c
net/core/dev.c
net/core/sock.c
net/netlink/af_netlink.c
net/netrom/af_netrom.c

(full disclosure: I also piped it thru |sed -e 's/^\.\///g' for formatting purposes (slashdot puts it all one one line if they begin with ./ for some reason) and |sort because I'm just like that)

Re:Doesn't work

[VoidCrow]

*sigh*

Re:Doesn't work

in cyber space!

Re:Doesn't work

[Kjella]

try for example "man su":

NAME
              su - change user ID or become superuser

or sudo, but you'll have to all the way down to the description:

DESCRIPTION
              sudo allows a permitted user to execute a command as the superuser or another user

Outside geek circles "root" doesn't mean anything, but superuser is at least somewhat meaningful. Though most don't actually deal with it at all anymore, they're in a sudo group so they only ever user their account and some applications ask them to reenter their password to become administrators. To most people "root" is more like "system" than "superuser" to most people these days.

Re:Perhap the kernel's size is becoming too unweil

[Lumbre]

I mean this is what, the third 'reverted' security patch we've heard about in the recent past that needed replacement?

In other news, direct from Windows Update: "A security issue has been identified that could allow an authenticated remote attacker to compromise your system and gain control over it." x10 "A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it." x5 and other misc. vulnerabilities =)

Re:Perhap the kernel's size is becoming too unweil

[Goaway]

So if you can't find any real reason why Linux is better, you just lie about the competition?

Re:Perhap the kernel's size is becoming too unweil

He is probably referring to the bout of security fixes for windows 7 with the same wording.. there has been quite a few of them lately.

Confirmed

Just confirmed it on my ubuntu 10.04 server.

Re:Confirmed

[X0563511]

That's what you get for using Ubuntu on a server!

Re:Confirmed

That's what you get for using Ubuntu on a server!

Immediate community action and timely patches?

If that's what we get, then thank you, Ubuntu.

Re:Perhap the kernel's size is becoming too unweil

And that has to do with linux?... Oh thats right nothing.

Pointing at what other people are doing wrong so you can look better makes you look like an ass in the long run. People notice it. Stop doing it and worry about what you are doing...

Root escalation is a serious issue but instead of figuring out 'hey how can we stop this from happening again' you are busy saying 'look see teh windowz sux'.

uh ok...

Re:Perhap the kernel's size is becoming too unweil

[AnonymousClown]

He is probably referring to the bout of security fixes for windows 7 with the same wording.. there has been quite a few of them lately.

And that's relevant to this thread how again?

Might as well start posting stuff about Chewbacca.

Maybe Linux' kernel is too big?

Chewbacca lives on Endor wihout any Linux or Windows computers ....

Error in title

Root is a privilege, not a right.

Re:Error in title

That was my first thought exactly!

Patch

[Frankie70]

You can get a patch here.

Re:Perhap the kernel's size is becoming too unweil

[TheRaven64]

Linux sucks, but it's okay because Windows sucks too? Great reasoning. I look forward to using it to convince people to switch.

exploited

I'm just guessing here but someone (not me) may have used it already. Travelnotes has been rooted.

Re:exploited

[X0563511]

Fucking idiots.

What's the point of rooting a server and making it obvious? These are the ones that get noticed and cleaned. It's the ones who did it quietly that sit around for years!

Re:exploited

[koreaman]

<META content="MSHTML 6.00.2900.2180" name=GENERATOR>
<META content=FrontPage.Editor.Document name=ProgId>

Classy.

Re:exploited

[mr_mischief]

You should have included the next two as well:

A Windows-specific character set and a looping nonexistent background sound. Heh.

Re:exploited

We had a spate of machines getting rooted over the past couple of weeks which involved a local root exploit. This one could well be it.

Patches are available

[Athanasius]

If you know how to drive git you could try applying these:

• commit eefdca043e8391dcd719711716492063030b55ac:
  x86-64, compat: Retruncate rax after ia32 syscall entry tracing
• commit 36d001c70d8a0144ac1d038f6876c484849a74de:
  x86-64, compat: Test %rax for the syscall number, not %eax

there is a workaround of disabling 32bit binaries (I'd paste a link if Google Chrome dev channel would let me... for some reason I can only paste into /.'s comment box before I've typed anything else, I'll follow-up with it), but of course you may need them depending on what your machine does.

There's also a separate issue that also gives local root, fixed by:

• commit c41d68a513c71e35a14f66d71782d27a79a81ea6:
  compat: Make compat_alloc_user_space() incorporate the access_ok()

I'm running a kernel base don 2.6.35.4 but with all 3 of those commits applied (note the last one tries to modify an arch/tile/ file which doesn't exist in 2.6.35.4, just ignore that) and can confirm that neither exploit works.

Re:Patches are available

I got the first two patches and upload here:

http://www.4shared.com/file/KIXq30ui/patch-remove-exploittar.html

If you are afraid of something, just check with the two git entries, then run patch -p0 [patch files] and your system will be safe.

Re:Patches are available

[/dev/trash]

resort represent!

Re:Patches are available

[dumfrac]

It is already patched in Debian: http://www.debian.org/security/2010/dsa-2110http://www.debian.org/security/2010/dsa-2110

Re:Patches are available

[deek]

The exploit does not affect Debian Stable servers. The kernel in Stable actually predates the reintroduction of the bug.

Score one against critics of the Debian release schedule. ;)

Re:Perhap the kernel's size is becoming too unweil

[Runaway1956]

I'm not sure, but I think they have BSD machines on Endor. And, yes, a few Apples - they also have a few elitests who admire bling above all else.

Re:Perhap the kernel's size is becoming too unweil

You're talking about git submodules and I'm gonna go ahead and guess that the answer you'll receive from the kernel folks about that is a big fat "no". Maybe if Git had usable project hierarchies, things might be different.

Also to note: even Git can't fix stupid policy or stupid programming decisions.

If ever there was a case of missing the forest for the trees, it's this right here.

Re:Perhap the kernel's size is becoming too unweil

[Runaway1956]

No, Linux sucks, but it sucks a lot less than Windows. I mean, the "fix" is already out. My update reminder has been sitting in the taskbar ever since I woke up. Every time my mouse rolls over my autohidden taskbar, I get a flash of red to remind me about the kernel update. I've ignored it, because the exploits are simply not deployed. Unlike Windows, where there are thousands of exploits deployed, some of them sitting on servers waiting for the opportunity to do a "drive by" installation. When it is convenient for me to do so, I'll download the update, and apply it.

But...but...

Linux is better than Windows.

Oh.

Wait.

Stuff is, what it is.

Re:But...but...

[houstonbofh]

Linux is better than Windows.

better != perfect

Re:But...but...

[joek1010]

Whatever you say Mr. Shatner ...

Re:But...but...

[eclectro]

better != perfect

While better may not be perfect, this is just plain being sloppy.

Re:But...but...

[wampus]

It's also part of the reason behind the slow turnaround time on patches coming out of Redmond. They do regression testing.

Re:But...but...

[Bing+Tsher+E]

Because the Redmond folks are forced (by their marketing types) to remain compatible with the long, long, long, long tail of a whole set of ABIs, regression testing there is incredible in comparison to Linux. Linux doesn't really have that excuse, in fact some bristle at the very idea that there should be any degree of binary compatibility between different versions of anything.

With the BSDs, the whole core toolchain is integrated with the kernel into a unified release. But when your userland is a dogs breakfast of whatever any particular 'distro' packager decides is good... well, it becomes more of a challenge. So there are all kinds of interesting things to ponder about with OSes based on the Linux kernel (there are many.)

Re:But...but...

[doktorjayd]

They do regression testing.

and yet vista was released...

*ducks

Re:Perhap the kernel's size is becoming too unweil

The fix was out before the maintainers rolled it back, too. Whoops.

Re:Perhap the kernel's size is becoming too unweil

Maybe it's time to write unit tests for the kernel.

Why is there anything 32 bit on a 64 bit server?

[erroneus]

Okay, I get that when system calls are made to 32 bit whatever, bad things could happen. But why would there be anything 32 bit there at all? Shouldn't everything that is running on a server be compiled for 64 bit? I gotta say, this is a good reason to hate 32 bit binary blobs being distributed by vendors who don't want to release the source for their drivers and what-not... well more than I already do.

Perhaps I am misunderstanding something and that 32 bit calls are still an inherent part of 64 bit Linux? I've been running 64 bit for years and years and now I wonder if I'd be better off running 32 bit?

Bit late to be news

[0123456]

Ubuntu, at least, has already released the patch as a kernel upgrade; it was fixed early in the week so I presume most other distros have too.

Re:Bit late to be news

[melikamp]

Slackware forum has a link to the white hat's page. Here you can get a very neat proggy that will root you in less than 200 if you are still unpatched.

Re:Bit late to be news

[jroysdon]

RHEL was never affected. Red Hat BugID 630551 states:
"This issue did not affect the version of Linux kernel as shipped with Red Hat
Enterprise Linux 3, 4, and 5 as it did not include upstream commit 7034632d
that introduced the problem. It did not affect Red Hat Enterprise MRG as the /dev/sequencer device file is restricted to root access only."

Further, Red Hat states for CVE-2010-3080 that the commit upstream that brought the bug back was never allowed into Red Hat kernels:
"This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5 as it did not include upstream commit 7034632d that introduced the problem."

I guess you get what you pay for.

I'll be curious to see in the next few days if downstream from Red Hat followed Red Hat's same kernel compile options. Some prominent downstream versions would be CentOS and Oracle's OEL.

Re:Bit late to be news

[fluffy99]

You're confusing compile options with kernel code. RedHat didn't include the patch to the code that reintroduced the vulnerability. They do compile with the 32-bit option that is needed to exploit the bug. Given that CentOS blantantly copies the source code and compiles it in the same manner, I'd expect they don't suffer this vulnerability either.

Re:Why is there anything 32 bit on a 64 bit server

[0123456]

Unless you need the big address space and MOST apps don't - 32 bit code runs faster.

Since when?

64-bit code gives you twice as many registers at the cost of doubling the size of pointers, and on older Intel CPUs losing some of the microop fusion optimisations. Every time I've seen people post comparative benchmarks of their 32-bit code recompiled to 64-bit, they've shown significant speedups.

Re:Perhap the kernel's size is becoming too unweil

[Nikker]

I always like it when other programmers complain they can't do something because of a programs behavior, gives me this warm fuzzy feeling.

Re:Why is there anything 32 bit on a 64 bit server

[0123456]

Okay, I get that when system calls are made to 32 bit whatever, bad things could happen. But why would there be anything 32 bit there at all? Shouldn't everything that is running on a server be compiled for 64 bit?

Flash. Ubuntu handles 32-bit Flash integration automatically with 64-bit Firefox, but on some other distros it's easier just to install 32-bit Firefox instead.

Re:Why is there anything 32 bit on a 64 bit server

[Runaway1956]

Flash and Java are almost necessities on many servers. Sun Java and Adobe Flash have lacked 64 bit support, so 32 bit versions were mandatory. Or, nearly mandatory. There are options to Sun and Adobe, but performance isn't exactly the same. (Not saying better or worse, just different, which can be a problem in and of itself) When Adobe and Oracle both get around to releasing a consumer grade, final version of these ubiquitous applications, then Linux and Windows will both probably drop 32 bit compatibility as "default" installation options.

Re:Perhap the kernel's size is becoming too unweil

[wampus]

Not interesting enough. Rewriting something that already works is where it's at.

Re:Perhap the kernel's size is becoming too unweil

[siride]

Unfortunately, it's often prohibitive for you to fix every other piece of software out there that doesn't work the way you want it to, especially when it's quite enough just to deal with your own software.

Re:Perhap the kernel's size is becoming too unweil

Because it's spelled separate, not "seperate".

Cool...

[r00tyroot]

I don't have to keep entering my password for sudo access anymore!

Re:Cool...

[X0563511]

Here's a better fix:

dd if=/dev/zero of=/dev/?d? bs=512 count=1

Re:Cool...

Here's a better fix:

dd if=/dev/zero of=/dev/?d? bs=512 count=1

And you're actually stupid enough to post this code.

Re:Cool...

[X0563511]

... and you're stupid enough to reply back with that? Let me guess, you ran it. Fuck off.

Re:Perhap the kernel's size is becoming too unweil

[forkazoo]

Linux sucks, but it's okay because Windows sucks too? Great reasoning. I look forward to using it to convince people to switch.

Meh. Do you make your living from convincing people to switch from Windows to Linux? Does it really matter to you what other people use? As far as I'm concerned, Linux just needs to suck less than Windows, which it does. As long as that remains true, I won't have to worry about the hassle of considering migrating everything I do to Windows.

Re:Perhap the kernel's size is becoming too unweil

[X0563511]

I've seen far too many rooted servers to agree with you about the deployment issue.

Re:Perhap the kernel's size is becoming too unweil

Also, since the kernel is fairly 'well documented', we should be able to tell WHO is responsible for removing the patch, and reintroducing the vulnerability.

Perhaps, we could ask them why such a thing happened, and whether the linux community needs to backtrack this specific dev/s, kernel patching to date.

You want to talk about 'quality control' in the open source world, here it is right in front of us. Will it be done properly and thoroughly?

Re:Why is there anything 32 bit on a 64 bit server

[iammani]

Java may be, but flash?

Re:Perhap the kernel's size is becoming too unweil

[X0563511]

Yea, because one bitch on slashdot spending 2 minutes writing such a post is really detracting from figuring out "hey how can we stop this from happening again"

I'm pretty sure the people that actually matter won't be found on slashdot poking fun at everyone else.

Let's pretend Slashdotters are clueless

[General+Wesc]

root (also known as superuser)

On a largely Linux-focues tech news site you just defined 'root'. Why not also define '32-bit compatibility mode', 'Linux', 'kernel', '64-bit', 'privileges', 'web server', 'call', 'emulation layer', 'Syscall table'.

Protip: We're nerds. Write for your audience. If I don't understand a term, I can look it up. I'd prefer to have to do that than have random definitions stuck in the summary.

Re:Let's pretend Slashdotters are clueless

[ifiwereasculptor]

I believe (consider to be the truth) you're nitpicking.

Re:Let's pretend Slashdotters are clueless

[bsDaemon]

welcome to the world of ubuntu?

Re:Let's pretend Slashdotters are clueless

[Bing+Tsher+E]

Protip: We're nerds. Write for your audience.

Slashdot has 'come a long ways' from what it once was. There's even an Apple section now.

Re:Let's pretend Slashdotters are clueless

[thoughtsatthemoment]

oztiks writes with this excerpt from The H: ...to get complete root (also known as superuser) rights or permissions for a victim's system....

I think you are barking at the wrong tree.

Re:Let's pretend Slashdotters are clueless

[General+Wesc]

Oh, you're right. Silly me.

But you can't expect me to read the entire summary before commenting. :-)

code comments?

[Cyko_01]

Hawkes says the vulnerability was discovered and remedied back in 2007, but at some point in 2008 kernel developers apparently removed the patch, reintroducing the vulnerability

and this, my friends, is why we add comments to our code

Re:code comments?

> and this, my friends, is why we add comments to our code

It's also a good argument for regression testing.

Re:code comments?

[Bing+Tsher+E]

When you pull the string on the Barbie doll's neck and let go, doesn't she say 'Regression Testing is Boring!' or something?

Or am I thinking of the string on a stuffed penguin?

In any case, the elves at the bazaar are busy doing cooler stuff.

Re:code comments?

Actually, the changed code is commented in the offending patch
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.35.y.git;a=commit;h=d4d67150165df8bf1cc05e532f6efca96f907cab

Thanks Redhat dude.

BTW, is it the norm for kernel developers to sign-off commits for their own patches? Maybe if someone else was responsible for reviewing and signing-off on the patch, this could have been caught ahead of time? Another person could have missed it too, but then again, maybe not.

Re:code comments?

[JohnFluxx]

The old exploit didn't work as-is, but required slight changes. So I don't know if regression testing would have caught it here.

But of course, the kernel does need more unit tests.

Re:code comments?

[sciencewhiz]

signed-off-by is for the committer. It certifies that they own the code. See http://www.mjmwired.net/kernel/Documentation/SubmittingPatches

There are other tags for people who review the patch, but they aren't required.

Re:Perhap the kernel's size is becoming too unweil

[mysidia]

Yeah... at this point i'm wondering if there are some kernel developers who like there to be security bugs in the kernel?

Why else would they revert the security patch? Polticial reasons? They don't like the fix?

Or perhaps some of the kernel developers a black hats working covertly, and the 'fixes' cause them problems exploiting their secret bugs.......

Re:Why is there anything 32 bit on a 64 bit server

no, it does not run faster, all things being equal. 64 bit compiled code runs 20-25% faster. no I'm not counting specially optimized code that's heavy on SSE and f riends. yes, it does use more ram and disk space.

Re:Perhap the kernel's size is becoming too unweil

[John+Hasler]

> Why else would they revert the security patch?

Because they made a mistake. People do that.

Re:Perhap the kernel's size is becoming too unweil

[melikamp]

A LOT of hosts still get rooted because of weak passwords. A LOT of valuable hosts get rooted through social engineering. Just because you've seen rooted hosts, doesn't mean that there is any wide-scale deployment of anything.

Re:Why is there anything 32 bit on a 64 bit server

[koreaman]

If you're using your Linux server to browse Flash apps on the web, you might be doing it wrong...

Re:Why is there anything 32 bit on a 64 bit server

[0123456]

If you're using your Linux server to browse Flash apps on the web, you might be doing it wrong...

Yeah, I missed the 'server' part :).

Re:Why is there anything 32 bit on a 64 bit server

[dbIII]

I've got some very expensive commercial software on my nodes which is produced by utter idiots that have put 32bit binaries in directories called "linux64". They've been migrating their stuff from 32bit to 64bit since 2003 so they'll get there eventually. Until then it's a mixed system with a lot of undocumented messing about to install their software.
Everything else on there was compiled for 64 bit.

Re:Perhap the kernel's size is becoming too unweil

[jpmorgan]

And that, my friends, is why a microkernel is better than a monolithic kernel.

Re:Perhap the kernel's size is becoming too unweil

[wampus]

Do they have code reviews in Open Source land? We sure as hell do in boring business software world. Tends to catch shit like this.

Re:Perhap the kernel's size is becoming too unweil

[MichaelSmith]

You're talking about git submodules and I'm gonna go ahead and guess that the answer you'll receive from the kernel folks about that is a big fat "no". Maybe if Git had usable project hierarchies, things might be different.

Also to note: even Git can't fix stupid policy or stupid programming decisions.

If ever there was a case of missing the forest for the trees, it's this right here.

Its a bug tracking issue, not a a version control issue.

Tell me more about this "superuser"

[Punto]

is Ric Romero writing about security now?

Re:Perhap the kernel's size is becoming too unweil

[dragonturtle69]

Agreed

Re:Perhap the kernel's size is becoming too unweil

[Idiomatick]

Another issue I see commonly is. Linux is complicated and user unfriendly --> Admin doesn't have perfect settings --> abusable security flaw.

Re:Perhap the kernel's size is becoming too unweil

[mysidia]

1 reverted security patch is a mistake.
2 reverted security patches is a major mistake
3 unintentionally reverted critical patches in 6 months is a pattern of major fuck-ups.

I'm not saying people don't make mistakes. Part of the purpose of version control is to prevent such accidental reversions.

A pattern of reverting security changes, and not detecting those reversions before the software goes to world-wide release is pretty inexcusable, in most reputable development firms... people would get fired over this.

I suppose an interesting characteristic of the OSS development module is you can't fire people for screwing up, because they're not paid in the first place, they can follow slipshod practices as much as they like, with 'accidental' reversions or other changes all over the place

Re:Why is there anything 32 bit on a 64 bit server

[bsDaemon]

When I worked at a web hosting company, we once had a customer call in to complain that javascript and flash weren't running on our servers. Of course, they aren't supposed to....

Re:Why is there anything 32 bit on a 64 bit server

[hitmark]

makes one wonder what the money gets used for.

Re:Perhap the kernel's size is becoming too unweil

[mysidia]

I won't dispute the value of code reviews, but something much simpler should have detected a reverted security patch.

A simple test suite ought to detect code reversions.

Just make it policy to write a thorough 'test' for any security or other critical bug is discovered. The test should be thorough and designed to detect the bug, cause the kernel to crash, or panic, if any known bug is still present.

Then simply require the test suite to be run against the binary and all tests pass before a new kernel can be released.

Virtualization or running the kernel in user mode (as un User-Mode linux) could be utilized to facilitate testing.

Re:Why is there anything 32 bit on a 64 bit server

[CaptainMordecai]

Sun Java and Adobe Flash have lacked 64 bit support, so 32 bit versions were mandatory.

The Sun JVM has been available in a 64-bit version for years. Even the browser plugin is available in a 64 bit version now.

Re:Why is there anything 32 bit on a 64 bit server

[LurkerXXX]

You and I have been looking at vastly different sets of benchmarks.

Some go better at 64 bit. Many others do worse.

Re:Perhap the kernel's size is becoming too unweil

[shutdown+-p+now]

Well, vast majority of pwned Windows boxes end up that way due to operator error, not some code exploit - you know, users clicking on boobies!.jpg.exe links in mails and such. It's not something you can truly fix, short of making an iPad.

Re:Why is there anything 32 bit on a 64 bit server

Many others not optimized for 64 bit. Sorry but a change in compiler isn't enough to be declared optimized. 64bit being slower than 32bit was disproven years ago... it's a myth that won't die.

So glad Linux is more secure than Windows

Amirite?

Gentoo Hardened nomultilib

[Laebshade]

News like this makes me smile that I decided to use Gentoo Hardened 64-bit nomultilib whenever I built servers. Makes it harder if the software needed to run is only available as 32-bit binaries, but I haven't run into any yet that I've needed.

Since it has no 32-bit emulation layer, this is probably one of the few 64-bit linux not affected (without a patch).

Re:Gentoo Hardened nomultilib

the exploit can be run without 32-bit glibc as long 32-bit file execution support available in kernel.

Re:Gentoo Hardened nomultilib

[JonJ]

Since it has no 32-bit emulation layer, this is probably one of the few 64-bit linux not affected (without a patch).

Yeah, except every singe RHEL deployment out there, because it was not affected by the bug.

Re:Why is there anything 32 bit on a 64 bit server

[golgotha007]

Marketing and Sales.

Re:Perhap the kernel's size is becoming too unweil

[Sulphur]

Chewbacca lives on Endor wihout any Linux or Windows computers ....

They use Force computers.

Re:Perhap the kernel's size is becoming too unweil

[theArtificial]

Chewbacca lives on Endor wihout any Linux or Windows computers ....

Lies, deceit! Wookies come from Kashyyyk. :)

Re:Perhap the kernel's size is becoming too unweil

[Bing+Tsher+E]

Its a bug tracking issue, not a a version control issue.

Indeed, and the 'bug' in this instance appears to be someone on the team who retracted the fix.

The version control system should make it possible to figure out who that was. Especially because, it seems, the version control system was not part of the problem.

Or are the dudes in the bazaar all wearing gray robes? Hopefully kernel development isn't "A maze of twisty little passages, all alike"

Re:Perhap the kernel's size is becoming too unweil

[Bing+Tsher+E]

Linux just sucks differently from Windows. It isn't purely a matter of degree.

Much the same as the BSDs suck differently from Windows or Linux.

Life is filled with trade-offs. But it's more fun to engage in zealotry than it is to acknowledge that and move on. So we have the usual chest thumping we see here.

Re:Perhap the kernel's size is becoming too unweil

[MichaelSmith]

User IDs in decentralised version control system are under the control of the comitter. Linus pulls patches from a team of patch maintainers who should always be able to account for the veracity of the meta data in their repos.

Re:Why is there anything 32 bit on a 64 bit server

[melikamp]

The vulnerability is affecting kernels compiled with 32-bit compatibility support. Enabling this option seems to be the default, even on x64 systems that do not have 32-bit libraries and cannot execute 32-bit binaries. You can say

zcat /proc/config.gz | grep CONFIG_IA32_EMULATION

to see if you have it on. More info, and the origina hack.

Re:Unit Tests

[psyclone]

In theory, you can write a unit test to cover anything and everything you want. In practicality, the amount of code to perform expansive unit tests quickly dwarfs the amount of code in the product you are testing.

Like the summary said, the old attack didn't work exactly, it had to be tweaked slightly. Even if you had a unit test for this situation, it most likely would have passed (meaning the test exploit would fail).

Re:Perhap the kernel's size is becoming too unweil

[viperblades]

The original security exploit had to be modified to exploit the current kernel, so unless you expect them to maintain all the old security vulnerability test units....

Simple fact, stuff happens. I would like to see a programmer / admin that can say in the last 6 months they have not made or almost made a major to semi-major mistake. Linux is a big project and they are reacting properly to this by re-adding the fix quickly.

Re:Unit Tests

[mysidia]

The test doesn't have to detect exploitability, only that the bug is still present (or not).

Re:Perhap the kernel's size is becoming too unweil

The offending patch was authored and committed by a Redhat developer. Since this guy made his own company's product insecure for their clients, I'd say that Redhat could very well fire him. Whether they will or not depends on the company. Besides, do you know of a Microsoft (or any closed source software company) employee being fired based on their coding vulnerable software? How about a CEO being fired for selling vulnerable software to the public? Where's the accountability there?

Re:Perhap the kernel's size is becoming too unweil

[anonum]

Perchance the Linux vulnerability patch committing folk should start peppering their patches with comments containing BIG FAT WARNINGs of the outcome if their patch is optimized away by some eager beaver wannabe super kernel dev.

Vulnerability re-exposing patches would thus be much more likely to ring the patch reviewers bells.

Re:Perhap the kernel's size is becoming too unweil

[Jurily]

You want to talk about 'quality control' in the open source world, here it is right in front of us. Will it be done properly and thoroughly?

You mean by ridiculing the person who made a mistake in front of the whole world? Patch your own fucking kernel if you're so damn smart.

Errare Humanum est

[cyrilc]

The fact that because we can't fire developers makes it an incentive to bad coding practices is not an argument:

for some people (esp. Linux developers where pride is an important fuel to their creativity), being pointed out in public by such bad behavior is much worse than being fired in the equivalent closed software company.
Moreover, you will never know how many developers in a closed model had turned a simple patch into a remote exploit and if the culprit was really fired afterward esp. if it's a core developer (the one that knows everything and that you can't fire).
I think I can remember at least one Windows bug few years ago that was very much like another that was closed but there are some many 0-day and remote exploits that is becomes difficult to keep track.

Re:Perhap the kernel's size is becoming too unweil

[Jurily]

Its a bug tracking issue, not a a version control issue.

No, it's a software complexity issue. The problem is, with the size of the kernel, it would be prohibitively expensive to write and run tests even just for the major bugs fixed.

It must be done....

[viyh]

"The older exploit apparently only needed slight modifications to work with the new hole." That's what she said.

Re:Perhap the kernel's size is becoming too unweil

Reported by Tavis Ormandy, biggest asshole on the planet.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Perhap the kernel's size is becoming too unweil

[MaskedSlacker]

I will not have you talking about C3PO that way!

Re:Perhap the kernel's size is becoming too unweil

No, Linux sucks, but it sucks a lot less than Windows. I mean, the "fix" is already out.

This severe issue has been there for 2 years now, and "a fix is already out"?

I see the standards you hold Linux to are high.

Re:Perhap the kernel's size is becoming too unweil

[sofar]

I live with feet in both sides, and I can tell you, Open Source generally does much (100x) better than closed source. Especially in companies that need to release product or die. Hey, that's about every commercial company I know....

Re:Perhap the kernel's size is becoming too unweil

[Runaway1956]

C3PO? That must be why I was modded "troll". I wasn't referring to the midget droid - he wouldn't be caught dead using BSD or Apple!

Re:Perhap the kernel's size is becoming too unweil

[X0563511]

Most of the ones I've seen (that we can trace back to the intrusion point) are the fault of bad PHP code, honestly. Still.

Re:Why is there anything 32 bit on a 64 bit server

All 64-bit systems from Intel and AMD also come with some level of SSE. It comes along the address space "for free" because it became a standard feature by the time 64-bit machines came around. GCC, by default takes advantage of SSE when you target x86_64.

Many distributions do not enable stuff like SSE when compiling 32-bit packages. It wasn't there for i386 or i586. Whats more is the same 32-bit packages built for the all 32-bit installs are used to provide the 32-bit land on 64-bit systems. I tried some time ago to make a 32-bit program preform just as fast as the 64-bit program. No matter what flags I threw at the compiler the 32-bit version always lagged behind the 64-bit version because the 32-bit user space wasn't optimized to take advantage of newer processor features. In short I would have had to recompile all of 32-bit land to match performances.

I've yet to encounter a situation where 64-bit builds were slower. It is at least no worse, and often better. In my experience switching to a 64-bit system is about more than just address space. I'm sure you could build a 32-bit system to preform nearly as well... but really what's the point?

I may not need the extra address space, but it certainly doesn't seem to hurt me any. Given the tag-along-extras I get with it... seems like a good deal to me.

Re:Perhap the kernel's size is becoming too unweil

in most reputable development firms... people would get fired over this.

Which dream world do you live in?

Re:Why is there anything 32 bit on a 64 bit server

[Bungie]

Unless you need the big address space and MOST apps don't - 32 bit code runs faster.

The address space is needed since the total virtual addressible space needs to be divided among things like the hardware, kernel and user space. You already see this when you have 4GB of memory on a 32-bit Intel system and the hardware consumes 1GB of memory for it's addressing. Windows further splits the space into 2GB for kernel/hardware and user space. So no application can every address more than 2GB of memory (paged or physical combined) and the kernel shares the other 2GB with the 1GB of hardware addressing (leaving 1GB for it's own).

On 64-bit the addressible space is larger and the hardware address ranges can be located anywhere withing the massive amount (like 128TB) of virtual address space. So the 1GB of hardware address ranges don't have to fit in the 4GB of address space that the physical memory uses, and you can access the full 4GB of memory.

amd64 has many more registers and a better instruction set than i386 so it should execute both 32 and 64-bit code as fast if not faster than 32-bit systems. The performance gain might not be massive if software is not geared for the newer opcodes or registers, but by all rights there is no reason that the 64-bit code should run slower than 32-bit code.

It's also smaller - uses less disk, uses less memory.

You don't allocate memory or disk space in blocks of 32 or 64 bits so the savings are not affected by the larger size of the addressible bits. If you allocate a page of memory in Windows the memory manager allocates (IIRC) 64K of storage for the page regardless of the smallest addressible unit size. The extra 32-bits used to store an integer would be insignificant in the overall 64K of page space.

Re:Perhap the kernel's size is becoming too unweil

[mr_mischief]

It's too bad most closed-source software that people actually buy shrink-wrapped is sold by software product sales companies rather than actual software development companies.

Hell, some of my CE equipment needs reboots because of software bugs or insufficient cooling considerations in the design. People who put out products to make a profit are not generally engineering things to public safety standards or business-critical standards. Most are selling consumer-grade hardware and software at as low a cost per unit as they can without completely losing the market.

Re:Perhap the kernel's size is becoming too unweil

I've seen far too many servers configured improperly or using simple/short/common root passwords to agree with you about the deployment issues being responsible for a random sample of rooted servers.

Re:Why is there anything 32 bit on a 64 bit server

[erroneus]

Okay, so I was misunderstanding. Very interesting indeed. I expect an extremely swift round of patches for all of my OSes shortly. I don't believe any distro will sit on their hands over this one.

As far as "/proc/config.gz" goes, I don't have one. Is there another way that Fedora puts this information out?

Re:Perhap the kernel's size is becoming too unweil

I've seen far too many servers configured improperly or using simple/short/common root passwords to agree with you about the deployment issues being responsible for a random sample of rooted servers.

Not to mention admins who will enter passwords using an unsecure workstation to access something else remotely, admins who use the same password everywhere, admins who routinely login to unencrypted protocols, etc.

Re:Why is there anything 32 bit on a 64 bit server

[mr_mischief]

Around 15% to 25% of revenues going to customer acquisition and retention (marketing, sales calls, rebates, incentives, whatever) is a pretty common budgetary decision in US businesses. So yeah, after payroll, facilities, and other operating costs marketing and sales are a major expense. The most common advice I get as a small-business owner both online and in person from other business owners is 20%.

I've heard as low as 10%, but that's still a big chunk of the budget. I've also heard of people spending as high as 40% of revenues for a short period when entering a new market segment.

It's informative to stick "how much to spend on marketing" into a search engine and see what the different magazines, forums, and blogs say. Different industries of course have slightly different needs, but at least 10% and not more than 30% under normal circumstances should be a decent starting place for considering what to spend.

Re:Perhap the kernel's size is becoming too unweil

[Bungie]

Yeah but none of those exploits is in the Windows 7 kernel itself (which is rarely ever patched). They'll all be related to other components distributed with the operating system. This could be many things including Windows Media Player and IIS. If you want to compare the number of Linux patches with Windows Updates you would need to compare the Windows patches to the patches of s Linux distro not just the Linux kernel itself.

Re:Perhap the kernel's size is becoming too unweil

[drewhk]

Isn't Git Linus' software?

In Soviet Russia!

[ImaLamer]

I'm sorry, but as a Linux guy, it's really hard to watch a Windows guy get a chuckle at somebody else given their chosen OS's inferiority and not have a chuckle about it myself.

Re:In Soviet Russia!

I'm sorry, but as a Linux guy, it's really hard to watch a Windows guy get a chuckle at somebody else given their chosen OS's inferiority and not have a chuckle about it myself.

As a BSD guy, it's really hard to watch a Linux guy get a chuckle at somebody else given their chosen OS's inferiority and not have a chuckle about it myself.

Re:In Soviet Russia!

[slider2800]

I'm terribly sorry, but as a UNIX guy, it's really hard for me to watch a BSD guy get a chuckle at somebody else given their chosen OS's inf... ah, meh!

Move along. Nothing to see here.
Now back to work...

Re:In Soviet Russia!

[Mikkeles]

I'm sorry, but as a VMS guy, it's really hard to watch a Unix guy get a chuckle at somebody else given their chosen OS's inferiority and not have a chuckle about it myself.

Next up: Burroughs B5000.

Re:In Soviet Russia!

[glimmy]

I'm sorry, but as a mechanical adding machine guy, it's really hard to watch a computer guy get a chuckle at somebody else given their chosen platform's inferiority and not have a chuckle about it myself.

Re:In Soviet Russia!

[Tony-A]

Unfortunately the Burroughs refused to run mainframe software with such bugs. Burroughs died.
IBMs ran such software without complaint. IBM survived.
Since the programs certainly had some design errors, it really becomes a question of which erroneous behaviors are silliest. Often the "most correct" are the silliest.

Re:In Soviet Russia!

[BrokenHalo]

I'm sorry, but as a Burroughs B3700 guy, it's really hard to watch a VMS guy get a chuckle at somebody else given their chosen OS's inferiority and not have a chuckle about it myself.

And yes, I actually was a B3700 guy. Now get off my lawn. ;-)

Re:In Soviet Russia!

[jd]

Next Up: Root vulnerability found in Abacus. Caveman laughs.

Re:In Soviet Russia!

[ImaLamer]

Troll? Isn't this Slashdot? I've not commented in almost a year, but geezol

One word.

[Dee+Ann_1]

Ksplice.

Fix coming to your favorite Distro in three, two..

[Qbertino]

, one ... Bingo.

Aaaah, the beauty of open source at work. Doesn't that just feel good?
Linux does still suck in a few ways (My Ubuntu still can't handle playing sound from Firefox/Flash and Rythmbox at the same time - quite unbelievable, yes, I know) but you have to hand it to the Kernel teams all over the world: when it comes to finding, announcing and fixing critical bugs, nothing beats the Linux crew.

Go, Kernel team, go!

Re:Perhap the kernel's size is becoming too unweil

[petermgreen]

Bad PHP on it's own should not on it's own cause the system to be rooted. If it does you have other problems (be they admin stupidity or local root exploits like this one).

Re:Perhap the kernel's size is becoming too unweil

According to this comment, RHEL wasn't affected. So a Redhat developer committed a patch that made everybody else look worse. Maybe he got a raise.

Re:Perhap the kernel's size is becoming too unweil

[jeremyp]

I don't believe ridicule was mentioned.

Anyway, no matter how painful it might be for the person who reverted the patch, the issue does need to be investigated in order to find out how to detect other instances and how to stop it from happening again.

A 2 year old bug reappeared, you mean

A 2 year old bug reappeared, you mean, but this wouldn't give you the opportunity to smear linux, would it...

Re:A 2 year old bug reappeared, you mean

A 2 year old bug reappeared, you mean, but this wouldn't give you the opportunity to smear linux, would it...

"Hawkes says the vulnerability was discovered and remedied back in 2007, but at some point in 2008 kernel developers apparently removed the patch, reintroducing the vulnerability. "

You'd need all the software for windows too

You'd need all the software for windows too because there's a hell of a lot more than there is on the Windows install disk, even with the crapware that Dell et al bundle on there.

You'd have to include all the dev tools for Windows, all the compilers for windows and all the MS software (including stuff for Win3.11 where it still runs on the current system) and THEN you get somewhat of a parity.

In trying to even up the software count, you have made it worse, just the other way.

PS According to Microsoft, most of those programs are an inherent and necessary part of the OS therefore from MS's own attribution are more like the Linux Kernel than the distribution.

Re:Why is there anything 32 bit on a 64 bit server

Pointer size is not a bottleneck in properly written code. If your data structures contain more pointers than data, they either need redesigning or are used in a context where performance is not an issue.

Re:Why is there anything 32 bit on a 64 bit server

[doktorjayd]

Sun Java and Adobe Flash have lacked 64 bit support

eh?

sun has had 64 bit binaries for linux as long as i can remember, at least since 1.4.x, and i'd take a loose bet they had 1.3.x 64 bit packages too. ( any earlier and you'd be stretching to find a 64 bit intel/amd linux distro...)

the java runtime itself has been natively 64 bits for a long time.

you _may_ be getting confused with the horrendous java applet plugin for _browsers_ which i think has only recently been part of the distributed java bundles.

Re:Why is there anything 32 bit on a 64 bit server

[doktorjayd]

correcting my own presumptions,

seems java 5 was the first 64 bit sun distribution for linux.

takes a while to get there, but you can still click round the oracle java sites and find the binaries..

http://java.sun.com/javase/downloads/jdk/142/

http://java.sun.com/javase/downloads/5u22/jdk

for the impatient

still, java 5 released sept 29 2004, so i guess i'm stretching to remember installs from 6 years ago

the patch in TFA is wrong

[phtpht]

The patch mentioned in TFA does not fix the bug. The patches at the bottom of http://sota.gen.nz/compat2 are the correct ones.

Re:Fix coming to your favorite Distro in three, tw

And then other kernel teams go and break it again later. Yaaay Linux!

Re:Unit Tests

[phtpht]

In practicality, the amount of code to perform expansive unit tests quickly dwarfs the amount of code in the product you are testing.

Obviously you write only these that cover some important bugs/functionality. Privilege escalation bug is enough justification.

Like the summary said, the old attack didn't work exactly, it had to be tweaked slightly. Even if you had a unit test for this situation, it most likely would have passed (meaning the test exploit would fail).

That would be true if you wrote a test for the full exploit which is *not* a unit test. A unit test would cover the source of the bug (as opposed to its consequences), that is, ensuring top half of %rax is zero when looking up the syscall table (or just ensuring that %rax is always < nr_syscalls). That sort of test would catch the regression.

Re:Perhap the kernel's size is becoming too unweil

[asquithea]

Actually, I think it's a code quality issue.

Look at http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.35.y.git;a=commitdiff;h=d4d67150165df8bf1cc05e532f6efca96f907cab

It seems to me that the critical line of code reloading EAX was deleted because the committer couldn't see why it was necessary, and there was no comment in the code to explain its purpose. With no comment, and no unit test to guard against regressions (and I recognise that isn't always practical), this was an accident waiting to happen.

Re:Perhap the kernel's size is becoming too unweil

[thebagel]

Lies, deceit! Wookies come from Kashyyyk. :)

Exactly. Why would a Wookiee, an eight-foot tall Wookiee, want to live on Endor, with a bunch of two-foot tall Ewoks? That does not make sense!

Re:Perhap the kernel's size is becoming too unweil

No, it's a software complexity issue. The problem is, with the size of the kernel, it would be prohibitively expensive to write and run tests even just for the major bugs fixed.

So much for open source.

Re:Perhap the kernel's size is becoming too unweil

[arth1]

Maybe it's time to revive the split between stable and unstable, and vetting of all changes going from unstable to stable. Yes, it means a slower release pace, but the number of regressions and plain broken things (IMA, bootmem disabling, now this) having made it into production kernels lately is rather frightening.

Perhaps it's time to declare the new model a success, and move on back to the old model, so problems can be given enough time to be discovered in unstable, and either fixed, or not brought over to stable.

Re:Perhap the kernel's size is becoming too unweil

[siride]

It hasn't been for a while. He did start it, but he hasn't done most of the work.

It's true that you can say that the current software isn't good enough and write your own. Sometimes you have enough resources and time to do that. And if so, good for you. But many times you don't. And while Linus started Git to have a good VCS for Linux, he didn't write his own compiler for Linux, or his own text editor that is custom-tuned for Linux, or even his own build system. Kbuild still uses make at the core. All of those other parts have their problems and warts and it'd be absurd to expect Linus and co. to write their own versions of all of them just so they can make the software exactly like they want it. We have a term for that kind of behavior: NIH syndrome and most folks consider it to be a bad thing.

Re:Perhap the kernel's size is becoming too unweil

[jedidiah]

> So if you can't find any real reason why Linux is better, you just lie about the competition?

Lying simply isn't necessary.

Windows is in the habit of running untrusted binaries often without knowledge or permission of the user.

THIS aspect of WinDOS makes it far more vulnerable than anything else to any sort of problem that starts out as a local root exploit.

Re:Perhap the kernel's size is becoming too unweil

[arth1]

No, Linux sucks, but it sucks a lot less than Windows. I mean, the "fix" is already out

But unfortunately, fixes only come out for a few "active" branches. This is a problem for those who have to stay at a specific kernel level (like embedded, where there's little chance of getting all the special device support ported over to a new version in any sensible time frame, or systems certified for a specific use, and where changing the kernel level would mean a full recertification). So in many cases, it's a "fix it yourself".

The problem with the Linux kernel now, as I see it, is that the progression is too rapid, and even "long term stable" branches are EOLed too quickly. I'd like to see "long term stable" have a life span of at least 5 years, and preferably 10.
I mean, RHEL is still on 2.6.18, but the oldest long term stable is 2.6.27, and it's already being replaced by 2.6.32. So unless you have a vendor like Red Hat that can backport for you, or the manpower and time to do it yourself, you're pretty much screwed. And you start to look elsewhere.

Re:Perhap the kernel's size is becoming too unweil

[Zero__Kelvin]

"Why else would they revert the security patch?"

First of all, there is no such things as a security patch in the Linux kernel. A patch is a patch, and all flaws are flaws. The fact that, on the phenomenally rare occasion that something likes this happens, it is so rare and unusual as to inspire conspiracy theories, goes to show just how truly solid the Linux kernel and it's development model truly is.

Re:Perhap the kernel's size is becoming too unweil

[jedidiah]

> Well, vast majority of pwned Windows boxes end up that way due to
> operator error, not some code exploit - you know, users clicking
> on boobies!.jpg.exe links in mails and such. It's not something
> you can truly fix, short of making an iPad.

Nonsense. You can make it a little harder for end users to do stupid things when prompted by a website.

Talk about "moving goalposts".

NO ONE using ANY OS should ever have to worry about the act of loading data causing malware to run instead.

This is just retarded and should have been stopped a long time ago.

Re:Perhap the kernel's size is becoming too unweil

[Zero__Kelvin]

"Do they have code reviews in Open Source land? We sure as hell do in boring business software world. Tends to catch shit like this."

I was unaware that Microsoft doesn't have code reviews.

Re:Why is there anything 32 bit on a 64 bit server

[broken_chaos]

Possibly in /boot/config-<version>.

But I'll save you the trouble and just tell you that every x86_64 binary kernel image I've ever seen has 32-bit emulation enabled by default. Unless you've compiled the kernel yourself and explicitly disabled 32-bit emulation (like I have on a Gentoo system I run), it's got about a 99% chance of being on.

Re:Perhap the kernel's size is becoming too unweil

[Runaway1956]

You are at least partly right - but I think that you are at least partly wrong too. Sure, there are people who, for one reason or another, have to keep an old version of the kernel. However - they can always recompile the kernel with a specific patch. Since this particular exploit is a regression to a two year old kernel, I suspect that *nearly everyone* has the opportunity to patch their kernel. I can't possibly know this, but I suspect that the very people who have opted to retain an old kernel are the very people who are most capable of patching their own kernels. I mean - they have very specific reasons for not upgrading, and they must understand the kernel to some extent to have made their decisions. Alright - maybe I'm talking out my ass. Does anyone else have any better insight to this?

Re:Why is there anything 32 bit on a 64 bit server

[arth1]

You can say

zcat /proc/config.gz | grep CONFIG_IA32_EMULATION

to see if you have it on.
Why do you assume that everyone has CONFIG_IKCONFIG=y set?
As it bloats the kernel, it is quite often turned off. Fedora, for example, doesn't have a /proc/config.gz. And those who roll their own kernel tend to omit it too, because they have the .config file.

And, for that matter, why do you assume that zcat is gzip in disguise? Those who run posix compliant systems have a different zcat that doesn't do .gz files, and (sometimes) a gzcat that does gzip files. Try "gzip -dc" instead -- it has a greater chance of succeeding outside your own system.

FFS, this is slashdot

[xant]

Don't fucking explain to me what "root" means. That's just insulting.

Hardened Gentoo was pretty safe all along

Unless you turned off most of the hardening features of the Gentoo Hardened kernel, it was protected all along. See

http://bugs.gentoo.org/show_bug.cgi?id=326885#c10

Do they do any testing?

Looking at the bug, it really looks like something simple to test automatically.

I'm just wondering whether anybody is running any kind of unit-tests or regression tests on the Linux kernel?

Re:Perhap the kernel's size is becoming too unweil

[Your.Master]

The unit test doesn't have to exploit. It just has to cause a crash if the root cause bug still exists. The maintenance on this test shouldn't be so bad; the test would probably be much simpler than the exploit and likely never really needed any maintenance to speak of.

And yes, I do expect old security vulnerability test units to be maintained. That's what is done in the proprietary world and in some other big FOSS projects, and until this discussion I simply assumed it was happening in the Linux kernel. I get that total test-driven-development has a scalability problem once you get to something of this size, but elevation of privileges exploits are a narrow enough and important enough subset that they should have tests. So I would second the recommendation that, going forward, that all new Linux security fixes be coupled with a simple unit test that exposes the issue, and that is run before future kernel point releases. Maybe not necessarily on the same day, but if a security patch is submitted there should also be a bug of highest priority to write a matching test, and if it isn't fixed within a relatively short period there should be a good justification (eg. "issue requires 47 days to reproduce -- unit testing is impractical").

Re:Perhap the kernel's size is becoming too unweil

[Beelzebud]

Yeah circle those wagons! I'm sure Linux will be better off in the long run, that way!

Re:Perhap the kernel's size is becoming too unweil

[shutdown+-p+now]

Nonsense. You can make it a little harder for end users to do stupid things when prompted by a website.

Sure you can. You can make more prompts - to which they will promptly agree. You can disable running from browser (as Chrome does), but then the page providing the link will also provide steps to run outside browser, and enough people will do that.

Simply put, so long as you give your users the ability to shoot themselves in the foot, they will do so if someone manages to convince them to - and, as history shown, it's not hard at all. The only fix is to take away the ability to shoot oneself entirely, and that is the point at which you get an iPad - an "appliance".

Re:Why is there anything 32 bit on a 64 bit server

[h4rr4r]

Why does the server even have X installed, much less flash?

Re:Perhap the kernel's size is becoming too unweil

[MichaelSmith]

Well, they could have annotated it and gone back to the commit. Seems pretty brave to take out a block of assembler like that without checking.

Re:Perhap the kernel's size is becoming too unweil

[MichaelSmith]

Its a bug tracking issue, not a a version control issue.

No, it's a software complexity issue. The problem is, with the size of the kernel, it would be prohibitively expensive to write and run tests even just for the major bugs fixed.

Maybe Andrew Tanenbaum can interest Linus Torvalds in that modular kernel he has been working on.

Re:Why is there anything 32 bit on a 64 bit server

[m50d]

Why do you assume that everyone has CONFIG_IKCONFIG=y set?

It's worth giving atvice to those with sense

And, for that matter, why do you assume that zcat is gzip in disguise? Those who run posix compliant systems have a different zcat that doesn't do .gz files, and (sometimes) a gzcat that does gzip files. Try "gzip -dc" instead -- it has a greater chance of succeeding outside your own system.

This is only relevant to linux, so it's perfectly reasonable to assume the system is linux. Those foolish enough to cripple their system for the sake of following the posix standard probably wouldn't listen to any advice anyway.

Re:Why is there anything 32 bit on a 64 bit server

[m50d]

No matter what flags I threw at the compiler the 32-bit version always lagged behind the 64-bit version because the 32-bit user space wasn't optimized to take advantage of newer processor features. In short I would have had to recompile all of 32-bit land to match performances.

That's not an unreasonable thing to do on, say, a server dedicated to running one application as fast as possible. (Or you could install a distribution that optimises for modern processors). If it gives a substantial performance advantage over 64-bit (and the grandparent seemed to think it does; the only way to tell is to actually benchmark your real application) then it would be worth it.

Interesting...

[hesaigo999ca]

I thought the linux guys were always on top of their game, especially with all the source code documentation and the code repositories...
this is one of those things that should never happen....but we are human i guess, i thought only M$ had the corner stone on these sort of mistakes.

Re:Perhap the kernel's size is becoming too unweil

on it's own

"its".