grsecurity 2.1.0 and kernel vulnerabilities
| From: | spender-AT-grsecurity.net (Brad Spengler) | |
| To: | grsecurity-AT-grsecurity.net, dailydave-AT-lists.immunitysec.com, bugtraq-AT-securityfocus.com, full-disclosure-AT-lists.netsys.com | |
| Subject: | grsecurity 2.1.0 release / 5 Linux kernel advisories | |
| Date: | Fri, 7 Jan 2005 12:20:49 -0500 |
grsecurity 2.1.0 release / Linux Kernel advisories -------------------------------------------------------------------- Table Of Contents: 1) grsecurity 2.1.0 announcement and changelog 2) Linux Kernel advisory introduction 3) 2.4/2.6 random poolsize sysctl handler integer overflow 4) 2.6 scsi ioctl integer overflow and information leak 5) 2.2/2.4/2.6 moxa serial driver bss overflow 6) 2.4/2.6 RLIMIT_MEMLOCK bypass and (2.6) unprivileged user DoS 7) Attachments, including patches for all vulns, a POC for #3, and a working exploit for #6 1) grsecurity 2.1.0 announcement and changelog I'm happy to announce the release of grsecurity 2.1.0. It is being released initially for the 2.4.28 and 2.6.10 kernels and will be ported immediately to the next kernel versions when released. It can be downloaded at http://www.grsecurity.net. We are still actively seeking sponsorship, so if you benefit from using grsecurity and like the changes you see in 2.1.0, please consider sponsoring the future development and maintenance of the project. Changes in this release include: * New configuration file for full learning: /etc/grsec/learn_config * Learning heuristics have been optimized to better detect temporary file usage and reduce appropriately. * Learning heuristics have been modified to weight against reducing certain additional important directories. * User/group ID transitions have been added to the learning system. Any subject transitioning to less than 3 different users or 3 different groups that has CAP_SETUID or CAP_SETGID will have ID transitions added. This is useful to automatically secure applications that only transition to one or few users/groups like nobody/nogroup. * /proc/<pid>/* accesses are automatically rewritten as /proc by grlearn before being cached and written to disk * The inherit-based learning usable through the learning configuration file is usable through a regular policy as well simply by adding "i" instead of "l" to a subject for learning. * Inheritance is preserved whenever possible across uid/gid changes when the role resulting from the uid/gid change is no different from that before the change. * A complete ~95-99% efficient LFU-hash hybrid caching system has been added that greatly reduces the number of full object lookups by caching the result. The cache essentially mimics the filesystem around where applications are operating: nearly equivalent to having an object for every file and directory on the system, but without the wasted memory. The cache is invalidated on creates and deletes that cause a change in policy (through policy re-creation) and on renames of directories or symlinks. * Memory usage for non-full learning has been significantly reduced and all memory leaks have been plugged. * A new object mode has been added for hardlinks for more fine-grained permissions. See the sample policy file for information on what permissions are required to create a hardlink. Its corresponding audit flag has been added as well. * Destruction of unused shared memory feature added and included in the sysctl framework of grsecurity. This feature was ported from Openwall (http://www.openwall.com/linux). * A new option was added to the sysctl feature that enables at boot all features enabled in the kernel configuration, while allowing them to be changed via the sysctl interface until grsec_lock is set. * Policy statistics have been added to gradm that provide useful, security-relevant information on the policy you are loading into the kernel. You can view these statistics when enabling the system by running gradm -V -E. * Interactive performance of full-learning has improved by ~15% by reducing the number of context switches caused by grlearn doing small disk writes by using a write buffer (writing more once instead of less 1000 times) and keeping track of log entry lengths for quicker string matching. A signal handler was added to grlearn so that when learning is stopped, the write buffer is flushed to disk. * Kernel headers are no longer used for gradm * Updates from the PaX project (http://pax.grsecurity.net) * Bugfixes for things mentioned on the list, etc When patching your kernel for the 2.4.28 and 2.6.10 kernels, since they contain several vulnerabilities, make sure to also apply the secfix patches located on the website. 2) Linux Kernel advisory introduction Let me begin by giving you a timeline: December 15th: I send Linus a mail with a subject line of "RLIMIT_MEMLOCK bypass with locked stack" December 27th: The PaX team sends Linus a mail with a subject line of "2.6.9+ mlockall/expand_down DoS by unprivileged users" January 2nd: The PaX team resends the previous mail to Linux and Andrew Morton Between December 15th and today, Linus has committed many changes to the kernel. Between January 2nd and today, Andrew Morton has committed several changes to the kernel. 3 weeks is a sufficient amount of time to be able to expect even a reply about a given vulnerability. A patch for the vulnerability was attached to the mails, and in the PaX team's mails, a working exploit as well. Private notification of vulnerabilities is a privilege, and when that privilege is abused by not responding promptly, it deserves to be revoked. Using 'advanced static analysis': "cd drivers; grep copy_from_user -r ./* | grep -v sizeof", I discovered 4 exploitable vulnerabilities in a matter of 15 minutes. More vulnerabilities were found in 2.6 than in 2.4. It's a pretty sad state of affairs for Linux security when someone can find 4 exploitable vulnerabilities in a matter of minutes. Since there was no point in sending more vulnerability reports when the first hadn't even been responded to, I'm including all four of them in this mail, as well as a POC for the poolsize bug. The other bugs can have POCs written for just as trivially. The poolsize bug requires uid 0, but not any root capabilities. The scsi and serial bugs depend on the permissions of their respective devices, and thus can possibly be exploited as non-root. The scsi bug in particular has a couple different attack vectors that I haven't even bothered to investigate. Some of these bugs have gone unfixed for several years. The PaX team discovered the mlockall DoS. It has been fixed in PaX for 2 years. I have attached their mail and exploit code. I'd really like to know what's being done about this pitiful trend of Linux security, where it's 10x as easy to find a vulnerability in the kernel than it is in any app on the system, where isec releases at least one critical vulnerability for each kernel version. I don't see that the 2.6 development model is doing anything to help this (as the spectrum of these vulnerabilities demonstrate), by throwing experimental code into the kernel and claiming it to be "stable". Hopefully now these vulnerabilities will be fixed in a timely manner. 3) 2.4/2.6 random poolsize sysctl handler integer overflow In drivers/char/random.c: at poolsize_strategy(): > int len; ^ signed integer > > sysctl_poolsize = random_state->poolinfo.POOLBYTES; > > /* > > /* > * We only handle the write case, since the read case gets > * handled by the default handler (and we don't care if the > * write case happens twice; it's harmless). > */ > if (newval && newlen) { > len = newlen; ^ unsigned int converted to signed > if (len > table->maxlen) ^ comparison of two signed integers > len = table->maxlen; > if (copy_from_user(table->data, newval, len)) ^ copy_from_user with len possibly > table->maxlen 4) 2.6 scsi ioctl integer overflow and information leak In drivers/block/scsi_ioctl.c: at sg_scsi_ioctl(): > struct request *rq; > int err, in_len, out_len, bytes, opcode, cmdlen; ^ in_len, out_len are signed int > char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE]; > > /* > * get in an out lengths, verify they don't exceed a page worth of data > */ > if (get_user(in_len, &sic->inlen)) ^ in_len is user-controlled > return -EFAULT; > if (get_user(out_len, &sic->outlen)) ^ out_len is user-controlled > return -EFAULT; > if (in_len > PAGE_SIZE || out_len > PAGE_SIZE) ^ signed int only has upper bound checked > return -EINVAL; > if (get_user(opcode, sic->data)) > return -EFAULT; > bytes = max(in_len, out_len); ... > rq->cmd_len = cmdlen; > if (copy_from_user(rq->cmd, sic->data, cmdlen)) > goto error; > > if (copy_from_user(buffer, sic->data + cmdlen, in_len)) ^ copy_from_user with size possibly > PAGE_SIZE > goto error; ... > if (copy_to_user(sic->data, buffer, out_len)) ^ copy_to_user with size possibly > PAGE_SIZE > err = -EFAULT; 5) 2.2/2.4/2.6 moxa serial driver bss overflow In drivers/char/moxa.c: >static unsigned char moxaBuff[10240]; In MoxaDriverIoctl(): > if(copy_from_user(&dltmp, argp, sizeof(struct dl_str))) > return -EFAULT; ^ dltmp.len is user-controlled > if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS) > return -EINVAL; > > switch(cmd) > { > case MOXA_LOAD_BIOS: > i = moxaloadbios(dltmp.cardno, dltmp.buf, dltmp.len); ^ called with no length checking > return (i); > case MOXA_FIND_BOARD: > return moxafindcard(dltmp.cardno); > case MOXA_LOAD_C320B: > moxaload320b(dltmp.cardno, dltmp.buf, dltmp.len); ^ called with no length checking > default: /* to keep gcc happy */ > return (0); > case MOXA_LOAD_CODE: > i = moxaloadcode(dltmp.cardno, dltmp.buf, dltmp.len); ^ called with no length checking In moxaloadbios(): >static int moxaloadbios(int cardno, unsigned char __user *tmp, int len) >{ > void __iomem *baseAddr; > int i; > > if(copy_from_user(moxaBuff, tmp, len)) ^ copy_from_user with no length checking > return -EFAULT; In moxaloadcode(): > static int moxaloadcode(int cardno, unsigned char __user *tmp, int len) > { > void __iomem *baseAddr, *ofsAddr; > int retval, port, i; > > if(copy_from_user(moxaBuff, tmp, len)) ^ copy_from_user with no length checking > return -EFAULT; In moxaload320b(): >static int moxaload320b(int cardno, unsigned char __user *tmp, int len) >{ > void __iomem *baseAddr; > int i; > > if(len > sizeof(moxaBuff)) ^ signed int has only upper-bound checked > return -EINVAL; > if(copy_from_user(moxaBuff, tmp, len)) ^ copy_from_user with len possibly > sizeof(moxaBuff) > return -EFAULT; 6) 2.4/2.6 RLIMIT_MEMLOCK bypass and (2.6) unprivileged user DoS Taken from the mail from the PaX team to Linus and Andrew Morton: the 'culprit' patch is how the default RLIM_MEMLOCK and the privilege to call mlockall have changed in 2.6.9. namely, the former has been reduced to 32 pages while the latter has been relaxed to allow it for otherwise unprivileged users if their RLIM_MEMLOCK is bigger than the currently allocated vm. which is normally good enough, except as you now know there's a path that can increase the allocated vm without checking for RLIM_MEMLOCK. i'm attaching a small i386-specific demonstration, use the makefile to create the small self-contained executable, e.g., 'make alloc=0x100000' to have it allocate 1MB of stack and lock all of it. for demonstrating the full effect of locking down arbitrary amounts of memory, you'll have to set your stack rlimit to infinity (ulimit -s unlimited) and allocate as much memory as your memory overcommit policy allows (this may mean that you'll have to run multiple instances, if you have lots of memory). surprisingly, in my tests the kernel survived pretty well, it just crawled to a snail's speed as every mapped page access required disk i/o ;-). i didn't play with overcommit policies nor any special workloads, so there may very well be worse effects with that much locked memory. in any case, this may warrant 2.6.10.1 because as soon as the fix goes into -bk, anyone reading the logs can easily figure it out and reproduce the 'exploit'. the attached patch is the excerpt from PaX that survives the exploit, so i think it's good to go.
Posted Jan 7, 2005 19:31 UTC (Fri)
by havoc (guest, #2261)
[Link] (34 responses)
Posted Jan 7, 2005 20:16 UTC (Fri)
by hmh (subscriber, #3838)
[Link] (28 responses)
OTOH, sending patches of any sort to Linus or A.M. if you are not one of their trusted senders is not very effective. Sending it to the security teams of Debian, Fedora or SuSE would probably have been a much faster path.
And, as you said, the tone of the email doesn't improve the chances of a better direct channel to Linus and A.M. any :-)
Posted Jan 7, 2005 21:24 UTC (Fri)
by Psychopath (guest, #4501)
[Link] (27 responses)
If one of them makes the decision whether to include a security fix or not include it dependant on the tone of the reporting email I wouldn't want to use this product :)
Posted Jan 7, 2005 22:44 UTC (Fri)
by sbergman27 (guest, #10767)
[Link] (23 responses)
Perhaps some sort of directory service is needed:
Caller: Operator, I need to know who to report this security vulnerability to.
Operator: Please explain the nature of the vulnerability.
Caller: <Fill in the blank>
Operator: Hold for the email address, please...
Posted Jan 8, 2005 14:33 UTC (Sat)
by PaXTeam (guest, #24616)
[Link] (22 responses)
the grsecurity announcement you can see here is *not*, i repeat, *not* the same as the bugreports that Spender or me sent (and kept resending) Linus and/or Andrew. the announcement quotes my own mail verbatim towards the end (it even says so... did anyone bother to read that at all?), and i don't think it had anything offensive in it. my personal gripe is that for 3 weeks not a single acknowledgement arrived in my mailbox, i don't think that's the way the chief developers are supposed to handle security issues (however small or irrelevant they may have been in this case - it takes a one liner to tell us so). as for going to other persons - who would that be? i don't want to talk to anyone i don't personally trust, and this immediately excludes the vendor-sec subscribers (observe the uselib() bug leak). anyone else left? with that said, i personally didn't agree with the chastising of their procedure (or rather, lack thereof) in public, but then it wasn't my announcement either.
as for Andrew's comment about anyone being able to DoS a linux box with malloc/memset... that attitude of downplaying bugs is pretty sad if he really meant it (and if true, that's a pretty sad state of affairs for linux). for one, we have CONGIG_SWAP, vm accounting and the OOM killer for a reason, second, there's no built-in recovery mechanism for the mlock/expand_down bug, so it is more serious than this malloc/memset issue.
Posted Jan 8, 2005 16:22 UTC (Sat)
by sbergman27 (guest, #10767)
[Link] (15 responses)
But it is important to understand that one can't just pick up the "Bat Phone" and have Linus or Andrew on the other end. Those days are gone.
I'm sure many would appreciate reporters of vulnerabilities following the prescribed procedures before subjecting the rest of us to increased (albeit temporary) risk.
None of this is to imply that most in the community do not appreciate the reporting of vulnerabilities, of course.
Posted Jan 8, 2005 19:31 UTC (Sat)
by PaXTeam (guest, #24616)
[Link] (14 responses)
second, you're suggesting contacting the subsystem maintainer(s). to the best of my knowledge, the VM (to which expand_stack/mlockall belong, i think) has no such person, nothing relevant turns up in MAINTAINERS at least. so that leaves Linus/Andrew. do i have a 'cause to complain' now?
third, i beg to differ on your assertion that i was the cause for your increased risk. if anyone subjected you to risk then it is the person(s) who didn't bother to deal with the bugreports (you realize that i even provided a patch which is now included in -ac verbatim). or as in the case of the uselib() bug, didn't do so in a timely manner.
Posted Jan 8, 2005 22:45 UTC (Sat)
by sbergman27 (guest, #10767)
[Link] (13 responses)
That's just off the top of my head. Being an armchair bug reporter, I can't be sure that the email address is current. I think it is, though. Get to know the procedures and relevant people. How can you guys maintain "grsecurity" and not know all this already?
On a side note, have you any relation to D. J. Bernstein?
There is a family resemblance.
Posted Jan 8, 2005 23:05 UTC (Sat)
by PaXTeam (guest, #24616)
[Link] (12 responses)
as for DJB: DJB didn't give any time for the authors he notified (well, in case of nasm it was one day, but that was probably the exception, not the rule). contrast that to my 2-3 weeks and several emails to establish contact before going public. pick a better example next time.
Posted Jan 8, 2005 23:36 UTC (Sat)
by sbergman27 (guest, #10767)
[Link] (11 responses)
"vm maintainer" "linux kernel"
(and you can just hit "I'm feeling lucky" because it is the first hit),
you will get a "kernel trap" article.
You can just type "www.kerneltrap.org", though, because this particular example happens to be on the front page of today's kerneltrap.org, thought the article is from Dec 27, 2004.
And it mentions that:
"An interesting dicussion on the lkml examined the efficiency of the inode cache in the 2.4 Linux kernel [forum], discussing several tunables primarily helpful to systems serving large NFS or Samba mounts. In particular, a slowdown was reported on such a system easily reproducible by doing a find / while cat'ing large files to /dev/null. In a discussion between 2.4 maintainer Marcelo Tosatti [interview], 2.6 maintainer Andrew Morton [interview] and VM maintainer Andrea Arcangeli [interview], it was decided that this was likely due to too small of an inode cache hash table resulting in a large number of collisions. For the work case in question, some tunables looked to prove helpful. Going forward, effort might be made in 2.6 or beyond to improve the inode cache."
As to my ditching your original question. do you subscribe to LKML? Do you read it?
That's where I learned this stuff, and you should too.
You ditched my question, however. Why do the grsecurity maintainers, who just released exploit code in the wild without following prescribed procedures, putting us all at risk, not already know all this?(!) How much can we trust you?
Posted Jan 9, 2005 0:18 UTC (Sun)
by PaXTeam (guest, #24616)
[Link] (10 responses)
as for lkml, i'm not subscribed but sometimes i scan it for interesting posts/topics.
you keep accusing me (btw, i'm not a grsecurity developer, i develop PaX only) of not following 'prescribed procedures' yet you *still* haven't shown a *single* reference to said procedure. please, stop this generic mumbo-jumbo and just post the URL to the document that clearly and unambiguously describes the 'official' procedure for reporting linux security bugs (and which doesn't involve Linus/Andrew and prescribes >3 weeks of waiting time, else you'd just prove my point). short of that, you have no basis for your claims (how can i not follow something you don't seem to know yourself either?).
we'll talk about being responsible when you manage to answer the question above.
Posted Jan 9, 2005 0:51 UTC (Sun)
by sbergman27 (guest, #10767)
[Link] (7 responses)
I will, however, take this opportunity to agree with you that if such a document does not exist, it very much should. People should *not* have to read LKML to know these things. If grsecurity had not released exploit code to the world, I would even be sympathetic. However, when an organization actually releases an exploit, it needs to be held to higher standards than the average Joe. The research on proper proceedure needs to be done, and thoroughly.
If you wish, we can continue this discussion via private email. I'm at steve_AT_rueb.com.
Live Long and Prosper,
Posted Jan 9, 2005 17:13 UTC (Sun)
by PaXTeam (guest, #24616)
[Link] (6 responses)
Posted Jan 9, 2005 22:07 UTC (Sun)
by dw (subscriber, #12017)
[Link] (4 responses)
Posted Jan 10, 2005 12:13 UTC (Mon)
by coolian (guest, #14818)
[Link] (3 responses)
Posted Jan 10, 2005 12:29 UTC (Mon)
by zorgan (guest, #4016)
[Link] (2 responses)
Posted Jan 11, 2005 8:11 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (1 responses)
After all, it was *Andrea* that *wrote* the thing in the first place, not Linus...
Cheers,
Posted Jan 11, 2005 20:11 UTC (Tue)
by zorgan (guest, #4016)
[Link]
Posted Jan 10, 2005 13:07 UTC (Mon)
by philips (guest, #937)
[Link]
I've being hitting this bug (as bug, but not securinty hole) several times before.
I hope that now it will be fixed.
Posted Jan 9, 2005 1:36 UTC (Sun)
by zorgan (guest, #4016)
[Link] (1 responses)
Posted Jan 9, 2005 12:48 UTC (Sun)
by PaXTeam (guest, #24616)
[Link]
Posted Jan 9, 2005 2:33 UTC (Sun)
by jd (guest, #26381)
[Link] (5 responses)
I understand politics, the fights over who has to deal with what, etc. I understand them and I detest them. Which is easier for a person to do? Hit the "delete" button, or hit a "forward" button to get the message to the right person? Seems to me, it's still one button. So arguing "did it go to the right person" is largely missing the very point of such an argument. If it did NOT go to the right person, but DID go to someone who has to know who the right person was, why did it NOT get to the right person?
Secondly, are we interested in who-did-what/who-didn't-do-what fights, or are we interested in Linux being the best OS that ever was and ever will be? If we are more interested in the latter, then someone should include the patches! It's that simple. At the end of the day, there's only one sure way of making progress, and that's to move forward.
Lastly, do I think some of the security developers tend to be rough around the edges? Well, yes. I had a few fights on my hands, over including patches into FOLK that others wanted to keep to themselves. I included them anyway. Nobody, but NOBODY, is going to tell me that Linux users deserve second-best, should live in ignorance of what's out there, or should have the difficulties inherent in merging multiple patches.
I wanted an easy showcase for technology, and that's exactly what I produced, whether others liked it or not. It was my opinion then, and still mine today, that knowledge is exactly like power - something to be distributed as widely as humanly possible, for the betterment of all.
Sure, I'm crazy. Sure, if Linux were to include everything that was important to a substantial fraction of it's users, the kernel would be nearly twice the size it is now. But I can survive being crazy, and those who download source can survive a little longer download time. Neither of these will kill. If substantial, wholly justified, scares into Linux' security or stability hit the community, then those might very well kill Tux.
I think the potential consequences make a LITTLE bit of effort by SOMEBODY in the Linux Kernel Development environ into getting Linus to install these patches, and in full, well worth any likely price. We can always back things out, if they turn out to be an error or become obsolete. Intermezzo, the original Ext FS, and a few other favourites have gone. DevFS is going to. Patches have been introduced with resistance from Linus - IIRC, he once said Linux would never run on anything but an ix86.
All of these just show that nobody is perfect. But they also show that those who aren't perfect should allow themselves to be steered by others in areas they're not so skilled on.
Posted Jan 10, 2005 8:33 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (4 responses)
Simple. And also, what PaxTeam appear to be missing.
Linus is ONE person. There are only 24 hours in a day. There is a *high* probability that the PaxTeam message never got to Linus' eyeballs...
THAT is why there is all this maintainers/lieutenants business. To reduce the workload on Linus to the point where it is manageable.
PaxTeam isn't subscribed to LKML. Why? Because "there's too much"? Bearing in mind Linus probably gets a hell of a lot of mail addressed to him personally, then he has to keep an eye on LKML, then he actually has a job to do, then he has to discuss things with his lieutenants... I'm afraid a mesage from a total unknown has low priority. And that fact that it claims to report a security vulnerability is quite likely to get it classified as "crying wolf" - I bet loads of people do cry wolf - intentionally or down to their own incompetence.
At the end of the day, the "proper channels" are there for a reason - in other words the system would collapse if they weren't there. And the fact PaxTeam don't take LKML says just about everything else - Oh and if they don't know Andrea Arcangeli and/or Rik van Riel are the people to talk to about VM, then they haven't been watching kernel development. Who remembers the VM-wars of 2001? :-) Hint to PaxTeam - at the very least, read Kernel Traffic *in* *depth*.
Cheers,
Posted Jan 10, 2005 11:26 UTC (Mon)
by PaXTeam (guest, #24616)
[Link] (2 responses)
now that you know some background, tell me again, 1. how much more we should have waited, 2. why we shouldn't have contacted Linus/Andrew in the first place, 3. why we should have contacted Alan first (who is explicitly not the security contact anymore), 4. why we should have contacted a VM hacker first (none of whom is a security contact either, not even for their respective employer, let alone linux/VM in general).
see, i've been in the security industry for some number of years now, and i know quite well what best practices are (everyone's got his own, but there're some common elements):
rule 1: you contact the explicit security contact first. for linux this used to be Alan himself, nowadays it's vendor-sec (yes, that means you're not supposed to deal with individual distros, that's why vendor-sec was established in the first place). except they proved to unreliable, not to mention that it's *impossible* to contact them in a secure way (they don't have a PGP key).
rule 2: short of such a security contact, you begin contacting the 'people in control', from top to down, not the other way around. for companies that's relevant because the chain of control also represents the chain of responsibility. you can argue that open source/free software projects are free of chain of control, but they're not free of responsibility. i believed and still believe that we did the right thing when we began contacting Linus, then Andrew and were about to contact Alan when external events intervened.
> THAT is why there is all this maintainers/lieutenants business.
except the VM has no explicitly listed maintainer. but yes, i can guess who the main contributors are, but that doesn't make them a security contact (remember, we only wanted to get feedback, be told what to do next, and *not* to force Linus or anyone to actually manage the issue). it makes them the right person to actually fix the bug, but that's only the second step after the initial contact.
> PaxTeam isn't subscribed to LKML. Why? Because "there's too much"?
correct, i have a day job (unrelated to linux), family and friends, i can't handle that email load (and there's more in my world than lkml). i don't know where you got that i didn't like lkml, if i wasn't sympathetic to linux, i would have posted everything to bugtraq a month ago (contrast that to the recent DJB case).
> And that fact that it claims to report a security vulnerability is quite
i provided a proof of concept exploit (which you would know if you had actually read the announcement and posts here).
Posted Jan 10, 2005 18:41 UTC (Mon)
by geomon (guest, #27127)
[Link]
From my perspective, you are trying to defend yourself when you shouldn't have to.
"understand please that we (well, spender at least) already had had a working two-way email connection with Linus. during the holidays..."
That is a problem. You have, of course, identified the source of the problem and have already recommended a solution.
"1. how much more we should have waited..."
For a legitimate bug? Not long I would hope (I am a user!).
"2. why we shouldn't have contacted Linus/Andrew in the first place"
You should have if there isn't an appropriate point-of-contact already established. That is the root cause of the problem.
"3. why we should have contacted Alan first (who is explicitly not the security contact anymore)"
You shouldn't have to. If Alan is not *the* person for security matters, that would be inappropriate as well.
"4. why we should have contacted a VM hacker first (none of whom is a security contact either, not even for their respective employer, let alone linux/VM in general)."
I've got to agree with this one too. Why should I go to the grocery store to get my car's front end aligned?
"see, i've been in the security industry for some number of years now, and i know quite well what best practices are (everyone's got his own, but there're some common elements)"
You are projecting defensiveness again. Give it a rest - you've made your point.
"rule 1: you contact the explicit security contact first."
WRONG!
An explict security contact should have been established *first*. That has either not happened yet, or the point-of-contact has changed. In either case, if the information is not readily available, then NO credible process exists for submitting security patches.
I share your shock at that prospect.
"for linux this used to be Alan himself, nowadays it's vendor-sec (yes, that means you're not supposed to deal with individual distros, that's why vendor-sec was established in the first place)."
That may work for individual vendors. How about establishing a Linux security working group that is composed of security contacts from the vendors?
What is missing in this discussion is a single point-of-contact, regardless of how it is composed, with contact information posted at kernel.org, kerneltrap.org, linux.org, or lwn.net.
"rule 2: short of such a security contact, you begin contacting the 'people in control"
WRONG.
See Rule 1.
"> PaxTeam isn't subscribed to LKML. Why? Because "there's too much"?
correct, i have a day job (unrelated to linux),"
And you shouldn't HAVE to subscribe to a mailing list to get a point-of-contact. That is pure stupidity.
That's why web pages were invented: "http://groups-beta.google.com/group/alt.hypertext/msg/395..."
"> And that fact that it claims to report a security vulnerability is quite likely to get it classified as "crying wolf"
i provided a proof of concept exploit (which you would know if you had actually read the announcement and posts here)."
The fact is, every event of security should be treated as a serious condition. It should not be the job of the submitter to determine whether the issue is serious or not; they may not be security experts but probably have noted a serious condition that they cannot explain by themselves.
This issue is a confidence buster if the community cannot produce a credible notification scheme. One of the key arguments that Linux advocates have used for years in defending the security of its products has been the claim that "many eyes" are better than code obfuscation. I have observed how this submitter has been treated and would question why ANYONE would submit a security concern to the community at this point.
Continuing to blame the person who submits the bug report, regardless of how they did it, is unacceptable. That smacks of the same arrogance that drove us to use Linux in the first place. Linux developers need to provide certainty to the user community that their concerns will be addressed and not arbitrarily dismissed.
Posted Jan 10, 2005 19:49 UTC (Mon)
by jd (guest, #26381)
[Link]
There is very little value in a system that does everything superbly, with absolutely the minimum possible latency, total stability, yadda yadda yadda, if the next day some idiot turns you finely-honed silicon masterpiece into a spammer zombie.
Yes, I think tempers may be running a little high, and that's probably not helping the situation. To me, there are only two issues at stake - how to get ALL of the fixes in place, ASAP, and how to ensure that future problems are addressed as fast as humanly possible.
Posted Jan 10, 2005 21:30 UTC (Mon)
by Ross (guest, #4065)
[Link]
As for reporting, the grsecurity team followed what they thought
Sure Linus gets a lot of email. He probaly doesn't read a lot of it.
They were very patient. People are claiming this is like DJB's arrogant
Someone else said that they shouldn't have mailed the kernel people but
Why can't MAINTAINERS have an entry for kernel security bug reports? Why
Posted Jan 8, 2005 3:08 UTC (Sat)
by Junior_Samples (guest, #26737)
[Link] (1 responses)
Nevertheless, Linux probably needs a "kernel security officer" who would be the initial
contact point when a vulnerability is discovered. It is shameful that
these reports went unanswered for almost a month.
Posted Jan 8, 2005 11:15 UTC (Sat)
by pointwood (guest, #2814)
[Link]
That's what I was thinking too, unless they already have some kind of process for that?
Posted Jan 8, 2005 17:18 UTC (Sat)
by wolfrider (guest, #3105)
[Link]
Posted Jan 7, 2005 21:20 UTC (Fri)
by uravanbob (guest, #4050)
[Link]
Posted Jan 8, 2005 0:37 UTC (Sat)
by mmarq (guest, #2332)
[Link] (3 responses)
And the key word here, i belive, is "development" !!... Linux were always in a constant state of development. There never were a relly true 'stable version' out of the initial series of 'stable marked' kernels. But that is my opinion. Also, IMO, the best solution for these problems is to open another tree, after a new *wild* unstable serie is open...
...lets say a 'stable-final', where only bug fixing and security holes *should* be mended, and not as we have today where pretty major features changes are made on stable series...
...there shoudn't be any clash among a wild 'unstable' and a 'stable-final' flowing in simultaneos, since they are so different in purpouse.
And that is not asking for to much, i belive, since the it is in all the interest of the commercial party of Linux world, to have a 'Titanium' solid product,... and they have the resources to make it rock.
Posted Jan 8, 2005 15:21 UTC (Sat)
by Klavs (guest, #10563)
[Link] (1 responses)
Posted Jan 8, 2005 18:41 UTC (Sat)
by mmarq (guest, #2332)
[Link]
So 2.4 is a real evidence that a stable serie are just better continued versions of the unstable ones.
"IMHO a real "stable" kernel, will result in it lacking features..."
How is that ?... i mean, if 2.4.25 was at the point where there wasent any more features added, if efficiently decided it should had been 2.4.20 or 21, then afterwards the tree could became 2.4.(??) stable-final, that is, no more features besides bug features and security holes mended(dont know but guess more features were added after 2.4.25). So what's wrong with this view ?
I mean, you should have had a closed stable serie, and instead had a live *real* stable-final for only bug, security holes, and drivers, and at the same time have the normal 2.5 or 2.6(stable)... If people wanted more features they should had waited for 2.6, and had helped more in its development, instead of trying pushing it to 2.4 where they fealt more save.
So in conclusion i belive is obvious, that a *real* stable-final, 'IF WELL MANAGED', will help in the general development of Linux, because there is a sure place for things like the ones discussed in this article, and more skilled and inventive developers will be pushed to the next *real development* tree.
And the well managed part, intentionaly in bold(sorry), means that a stable-final(ex:2.4.50-FINAL) au contrary of the development tree, should be very very carefully planned, and should have only *ONE* final version number, after the necessary " pre " ;... and the process shoul only be repeated, after a lot of consideration(ex:2.4.55-FINAL) if results were not at all satisfactory.
I belive the community has enough room now, and Linux kernel enough features(well above average for servers, not quit enough for desktops) for it to go smoodly, without vacating any of the trees out of developers.
Cheers
Marques
Posted Jan 8, 2005 18:02 UTC (Sat)
by bluefoxicy (guest, #25366)
[Link]
http://woct-blog.blogspot.com/2005/01/finally-new-pax.html
In this blog entry I talk about the problems with the 2.6 development model being used for a 'stable' tree, opening up by discussing PaX finally catching up on all the VM changes like it shouldn't have to until 2.8.
I then took a page out of whatever book the Ubuntu guys are going for and structured a low-maintenance, long support cycle release mechanism around the 2.6 development model, simply by shifting the model to the odd number branches (2.7) and using the even branches for bugfixes only (security holes are bugs).
Driver backporting can be invasive, and is more work than just bugfixes. Drivers requiring invasive changes (Reiser4 hacked up the FS core a lot) would be forbidden for "Stable" in my design. Drivers that are just drop-in and modify a Makefile and Kconfig slightly are ok, but remember that somebody has to maintain that.
My goal is a release cycle that produces long-term support for stable kernels and timely releases, without stacking too many stable releases on maintainers at once or too much maintenance on a stable release. Maintaining a stable kernel should take about 10-15 minutes of your time per day in net. That means that an hour or two spent on your weekends to merge in a backported security patch is the target.
Unfortunately it seems that I didn't produce a model that would make everybody happy. At the very least I have no support; but that's ok, because I have no experience designing development models, so I'm probably way out of line.
Still, get the damn ball rolling and come up with something.
Posted Jan 7, 2005 21:55 UTC (Fri)
by Ross (guest, #4065)
[Link]
http://isec.pl/vulnerabilities/isec-0021-uselib.txt
"Locally exploitable flaws have been found in the Linux binary format
"Version: 2.4 up to and including 2.4.29-pre3, 2.6 up to and including
Posted Jan 7, 2005 22:17 UTC (Fri)
by iabervon (subscriber, #722)
[Link]
Posted Jan 7, 2005 22:53 UTC (Fri)
by barryn (subscriber, #5996)
[Link] (1 responses)
Posted Jan 7, 2005 23:26 UTC (Fri)
by ringlord (guest, #6309)
[Link]
The alternative is that you have a closed OS where you just have to trust the publisher (you wish! :D).
Posted Jan 8, 2005 0:24 UTC (Sat)
by BruceRamsay (guest, #2068)
[Link] (4 responses)
After a quick look at the bugs listed I have a few questions about some of the analysis. For example:
>> if(len > sizeof(moxaBuff))
On all systems I know of, sizeof() produces an unsigned number. In C, comparisons between unsigned numbers and signed numbers are done as unsigned comparisons. In fact, -1 > sizeof(moxaBuff) is true. Therefore the comment "signed int has only upper-bound checked" is incorrect. After the test we are guaranteed that 0 <= len <= sizeof(moxaBuff). (I am speaking about real world C implementations and not theoretically possible C compilers.)
A quick look at Linux source code shows me that, at least on some architectures, PAGE_SIZE is an unsigned number. So tests like "len < PAGE_SIZE" also check for negative values of len.
It is hard to put a high priority on something which also includes incorrect analysis.
Still, I applaud the use automatic code analysis for producing clean and correct code. The more bugs removed the better.
Bruce
Posted Jan 8, 2005 17:08 UTC (Sat)
by kleptog (subscriber, #1183)
[Link]
While I sympathise with the guy, there are a number of things he could have done better. For example, including "[SECURITY]" in the subject of the emails might have been a start. The subject as given means nothing to me. I would not be surprised if the emails simply vanished in the bit bucket. Sending to Alan or Linus directly if they don't know you is a dead end.
Sending it to any of the other security teams, security focus, redhat, debian, whoever would probably have got the message somewhere where people know the right channels to use.
Posted Jan 10, 2005 12:59 UTC (Mon)
by jejones3141 (guest, #27116)
[Link] (2 responses)
>>> if(len > sizeof(moxaBuff))
>On all systems I know of, sizeof() produces an unsigned number. In C,
Some pre-ANSI/ISO C compilers did "unsigned preserving" promotions,
Posted Jan 10, 2005 14:38 UTC (Mon)
by khim (subscriber, #9252)
[Link]
Have you actually tried gcc ? The only compiler used by kernel developers will use "unsigned int" for calculation - thus all standards are irrelevant. Yes, it's still nice thing to fix (who know what'll happen in future version of gcc?) but it's not "security bug" anymore. That's the point.
Posted Jan 10, 2005 15:37 UTC (Mon)
by velco (guest, #27121)
[Link]
Incorrect. If operand types (after integer promotions) differ, one of
| If both operands have the same type, then no
In the concrete case of comparing int and size_t, for all the cases of
~velco
Posted Jan 8, 2005 19:27 UTC (Sat)
by dmarti (subscriber, #11625)
[Link] (1 responses)
security-alert@[MAINTAINER]
regardless of their existence. Anyone who could be deemed as a 'MAINTAINER' is encouraged to populate at least some of the above email addresses.
Posted Jan 10, 2005 17:02 UTC (Mon)
by pjs (guest, #10927)
[Link]
You see, they couldn't contact vendor-sec because they don't trust vendor-sec anymore due to the recent botched handling of the uselib bug.
So they contacted Linus and Adrew directly. When emails went unanswered for 3 weeks, Linus and Andrew couldn't be trusted anymore either.
So, you can clearly see it follows from the above that the only practice left, having exhausted all the "best" ones, is to release details and exploit code for new and previously discovered bugs, with an angry rant. With such a zero-tolerance policy for mis-handling of bug reports, it's easy to quickly run out of options.
Posted Jan 10, 2005 14:19 UTC (Mon)
by FarcePest (guest, #3065)
[Link] (1 responses)
Posted Jan 13, 2005 16:14 UTC (Thu)
by Blaisorblade (guest, #25465)
[Link]
A bug tracker is open in the wide just as the LKML (unless you tell me otherwise, which I think is unlikely, but I'm no bugzilla expert) - I didn't find any "report sensitive issue" feature for such reports.
This probably explains why nobody mentioned the tracker. So, what's your point?
Posted Jan 10, 2005 14:38 UTC (Mon)
by l3v1 (guest, #27119)
[Link]
Second, if you find a vulnerability, AND have the patch for it, AND have good will AND wish to help, then if you see there comes no answer from Linus or AM or AA, then why do you think starting to complain will solve anything. Or is it better than sumbitting the patches you have to good places like Debian, Gentoo, RedHat, Suse and I could go on.
Don't get me wrong, I think we ALL are thankful for the work you do guys. It's just you'd better take some etiquette lessons.
Posted Jan 10, 2005 16:50 UTC (Mon)
by TheKat (guest, #27125)
[Link]
and looking at kernel.org, I found a link to http://bugzilla.kernel.org/ on the main page.
Posted Jan 10, 2005 16:52 UTC (Mon)
by ahzz (guest, #5018)
[Link]
Did you bother asking LKML who the apropriate person to contact would be about htese vulnerabilities without giving out enough detail to comprimise things?
One would think that such a "great hacker" or even a measly maintainer would know that if it ain't writen, then you ask the mailing list.
You are not a god that get's to interrogate and berate the leaders simply because you found something that you think is important (or even learned of something important). So get off your high horse and join the rest of the Internet community in how you approach the problem of getting an answer to a question.
Posted Jan 11, 2005 6:26 UTC (Tue)
by cadence (guest, #27145)
[Link] (1 responses)
This all begs the question that if they weren't urgent (based on Linus and Andrew not replying directly to them, and by the fact that Andrew stated on the LKML that he felt they weren't urgent bugs), why is everyone jumping all over grsecurity team, and paxteam for posting these publicly... as that (according to the below links) would be exactly where the next place to send them would be (the LKML).
http://www.tux.org/lkml/#s1-10
http://www.tux.org/lkml/#s1-15
Posted Jan 12, 2005 0:37 UTC (Wed)
by jjs (guest, #10315)
[Link]
This message brought to you by the "Winning Friends and Influencing People Network."grsecurity 2.1.0 and kernel vulnerabilities
Maybe. But a swift kick is always an effective to wake people up, even if the kick is not deserved...poor social estrategy
"the tone of the email doesn't improve the chances of a better direct channel to Linus and A.M. any :-)"poor social estrategy
He did not say that "the decision whether to include a security fix or not include is [sic] dependant on the tone of the reporting email". He said that it would not help them to establish a direct channel to Linus or Andrew. A single person, even two, do not scale well, and the rest of the "contributors" need to learn who to report problems to. :-)poor social estrategy
a bit late, but for the record:poor social estrategy
The proper procedure has been well known for some time. Determine the official maintainers for the parts of the kernel in question and report the bugs or vulnerabilities to them. Linus and Andrew depend upon them heavily for the sake of their own scalability. (This was all hashed out back during the "Linus Scalability Crisis" of a few years ago.) If Linus or Andrew happen to be the official maintainers for the relevant part of the kernel, then the reporter has cause to complain.poor social estrategy
i've got to love armchair bug reporters. where's the 'proper procedure' you're talking about? saying it exists doesn't answer my question, i want to know the details, URLs, etc. CREDITS says that Alan Cox was the former security contact point and vendor-sec is the new one which i don't trust for very good reasons (i'll remind you again of the uselib() bug leak).poor social estrategy
VM? Andrea Arcangeli. ( andrea@suse.de )poor social estrategy
Andrea is a kernel hacker, he's not a security contact nor is he the maintainer of the VM (if you know otherwise, show me the proof). and you ditched my original question, so let me ask it again: what is the 'proper procedure' *you* were talking about?poor social estrategy
If you go to google (it's at http://www.google.com) and do a search on:poor social estrategy
thanks for educating me on how to use google, but what you failed to answer is how i was supposed to figure out that the 'proper procedure' for reporting a *security bug* in the VM means a google search for specific keywords and accepting the first hit (it made me smile no end, i suggest you post this to the bugtraq or dailydave lists and see what the real security community thinks about it). so try again. it also makes me think, would you really blindly accept the first hit as your point of contact for a security matter? i'm glad you don't get to make that call.poor social estrategy
No need. You have already stated your postition and mindset quite clearly enough for everyone to understand. And yes, I am exiting this thread, as I rather dislike participating in useless flamewars, which is what this has become.poor social estrategy
Steve Bergman
everything i discussed here very much belongs to the public and it shall stay so. i see you are quick to accuse others of being irresponsible but don't actually have the guts to apologize when your claims prove to be without merit. you also haven't realized that there are bigger issues here than the fate of a handful bugs, which is the whole point why we tested the waters with them only, not more critical stuff. some questions for you and the community to answer: why can the BSDs have a designated security officer and linux not? why can you communicate with said officers using proper encryption whereas you cannot with vendor-sec? why did nothing happen after the do_brk() bug/exploit leak more than a year ago so just in time history could repeat itself with the uselib() bug/exploit? why didn't you, Steve Bergman, complain about *that* yet? why is it acceptable that isec can release local root exploits with their advisories (which are anything but simple to understand and hence reproduce) but a few liner in assembly (trivial to reproduce) makes you scream 'irresponsible'? hipocrisy abound and you talk about holding others to higher standards.poor social estrategy
If there is still a problem here, take it to e-mail, or IRC. LWN comment postings are not the place for it - remember your comments will probably exist here long after you cease to.keep the pissing contests for IRC
Just remember, the Pax guy is trying to do a good thing, and wants it keep the pissing contests for IRC
fixed. He may have the social graces of a walrus, but he's at least
*doing* something about a problem. Stop ripping the guy and acting like
armchair quarterbacks.
May I politely request that everybody stops confusing the PaX team with keep the pissing contests for IRC
the grsecurity developers? I haven't seem anybody of the PaX team
"behaving like a social walrus" (not that I think this term would be fair
to Brad Spengler, either).
Anyway, the suggestion that Andrea Arcangeli would currently be more of a
VM maintainer than Linus Torvalds or Andrew Morton is so funny that I
don't understand why anybody took sbergman27 seriously. He has done
important development on the VM a couple of times, but he has never
adopted anything like a maintainer's role, AFAIK.
But I think the main point remains (and that's why this discussion makes
sense): If Linus and akpm get too much flooded with e-mails that they
cannot even reply to a local DoS report within 3 weeks, then maybe they
should appoint someone to be a security contact person? Someone who is
willing to look into such reports, can judge their severity, and contact
the relevant maintainers to review proposed patches etc.?
Why's it funny that "Andrea would be more of a VM mainainer than Linus"?keep the pissing contests for IRC
Wol
Because *writing* != *maintaining*. keep the pissing contests for IRC
Maintaining means reviewing other people's patches, forwarding them to
tree maintainers, making sure the code stays clean and well-documented,
etc. Andrea has not even bothered much sending his own to Linus/Marcelo.
Thanks for you work, PaX.poor social estrategy
It always seemed to me that Alan Cox is very responsible with respect to Alan Cox?
security problems. Now that he is maintaining a stable kernel again, he
might be a good contact point.
yes, Alan used to be the security contact person, but according to MAINTAINERS, vendor-sec took over that role (for the worse, as the facts show). with that said, we did consider contacting him after having waited for weeks in vain, but unfortunately the sudden leak of the uselib() bug and exploit made it necessary to release a new grsecurity version (which was otherwise being finalized for release anyway).Alan Cox?
Personally, I don't like getting into spitting-matches. I've singed myself on WAY too many flame-wars in the past, and my brain can't take it any more. However, that being said, I'll trow in my two units of local currency.
For what it is worth...
"So arguing "did it go to the right person" is largely missing the very point of such an argument. If it did NOT go to the right person, but DID go to someone who has to know who the right person was, why did it NOT get to the right person?"For what it is worth...
Wol
lots of speculation so let's see the actual timeline a bit. spender emailed Linus sometime early december about the few issues he had found. he also mentioned some of the fixes that were in PaX, the result of one of them was this commit: http://linux.bkbits.net:8080/linux-2.6/cset@41bc900azV2y9... . understand please that we (well, spender at least) already had had a working two-way email connection with Linus. during the holidays i had finally time to work on the forward port of PaX (last supported version was 2.6.7) and that's when i realized the change in status of the expand_down() bug as since 2.6.9 it became exploitable by unprivileged users as well. so i emailed Linus about it (of the importance, not the bug itself, he had already known about it from spender, although he had never replied back on that one). one week later, which is early this year i resent the mail to Linus and Andrew as well, and the next day spender forwarded the mail himself to them (as i said, he had a known working email route to Linus at least). nothing happened except spender was preparing the next grsecurity release and it became more and more urgent to get some feedback on these issues. we were considering emailing Alan Cox (the week of waiting allotted to Andrew as well wasn't over yet) when the uselib() exploit suddenly hit the net and everyone entered forced release mode, we couldn't delay it either.For what it is worth...
> likely to get it classified as "crying wolf"
"lots of speculation so let's..."For what it is worth...
I hope that I'm not speculating too much, myself. The last thing I want to do is add to the general confusion, here. My personal opinion is that a bug is a bug is a bug, and needs to be fixed. Where that bug is a security hole, as is the case here, it needs to be fixed almost before any other concern, come hell or high water.
Thoughts
There was no crying wolf and there were no "proper channels". If theseFor what it is worth...
type of bug reports are not taken seriously then I am shocked. It wasn't
a subtle or complex set of bugs. These are the kinds of problems that
show up all the time. The source code snippits should have been more
than enough to "prove" their case.
were the best ways to report the problems. The fact they guessed "wrong"
(which is not actually a fact ... just an unsupported assertion on
several people's part) is not their fault. I can't fault them for it.
I'm still unclear as to what the "correct" way would have been. There
was absolutely no documentation on how to report such problems. You
claim they "should have known" that Andrea is the right contact based on
years-old information. Using that reasoning Alan Cox would be the right
contact... but we know that is incorrect.
The point of them explaining they had "established two-way link"
hat Linus had read and responded to the original message ... but not
fixed the problem once the bug became exploitable. You are complaining
that they didn't read the lkml ... but what, exactly, would that have
accomplished? Posting to the lkml is every bit as public as this
disclosure. Or are you saying you aren't allowed to report bugs without
subscribing?
security reports. It is not even close. Several people have claimed
these issues were released as punishment and that the use_lib() thing is
unrelated. The point that had been made is that these issues were being
released because someone else leaked the use_lib() bug... otherwise it
would have all be taken care of together. Once the information is out it
is in everyone's best interest that is is fully and widely disclosed.
Secrecy is only useful for so long... other people may find the bug and
information tends to leak out. A month and change seems more than
reasonable.
one or more of the distribution maintainers. I can't disagree more.
Report security bugs to the upstream. They will be fixed in a single
place, in the right way -- not to mention the advantage of limiting the
number of people the information is sent to.
not setup a separate mailing list or alias which will magically go to the
right people (not including a bunch of distro maintainers)? Why not
create a PGP key for it to accept encrypted messages? I think everyone
agrees there is a problem. We may not agree on who is at fault but
aren't there _very_ easy ways to fix it?
I wouldn't worry about the "tone" at all. Linus isn't some frail
petunia. In fact, Linus freely admits that he is one of the most brusque,
if not out and out rude, individuals you will ever meet among Linux
developers. In his position it's an asset; in this role, someone
else with fragile sensibilities would be quickly steamrolled or suffer
a nervous breakdown. Linus can dish it out. He can take it just as well.
poor social estrategy
Quote: Nevertheless, Linux probably needs a "kernel security officer" who would be the initial contact point when a vulnerability is discovered. It is shameful that these reports went unanswered for almost a month.poor social estrategy
In all fairness to Linus, neither one of their Subject lines really stood out as an important thing to check RIGHTNOW... Linus is so swamped with work that they prolly just fell by the wayside, and it took this kick to the ass to get him to notice.poor social estrategy
In response to the "Insiders only need apply network"grsecurity 2.1.0 and kernel vulnerabilities
Oh c'mon!... you are being much more unfair to the authors of the article than they towards the development leadership of Linux kernel...grsecurity 2.1.0 and kernel vulnerabilities
IMHO a real "stable" kernel, will result in it lacking features (this is kinda obvious I guess :) - so it seems the current "stable" kernel, is linux-2.4. grsecurity 2.1.0 and kernel vulnerabilities
Right!... when did it officially had SATA support ?... by 2.4.25 i guess, no ?grsecurity 2.1.0 and kernel vulnerabilities
I've been hoping they'd split 2.7 out and go with a 6-9 month release cycle. I think the 2.6 development model is great for the odd number branches; but we need a strict bugfix stable branch that's semi-recent (hence, not 2.4 for today).grsecurity 2.1.0 and kernel vulnerabilities
In related news...
loaders' uselib() functions that allow local users to gain root
privileges."
2.6.10"
It seems to me like sparse should be able to identify cases where copy_*_user() is called with a signed type as the size, since there's probably no cases where this would be desireable (it might be legitimate if the sign is checked beforehand, but any case where a negative number should be treated differently from a positive one is a sufficiently ugly interface that needing something explicit would serve to clarify what was going on).grsecurity 2.1.0 and kernel vulnerabilities
Andrew Morton just posted his response here.
Quote:grsecurity 2.1.0 and kernel vulnerabilities
An unprivileged local user can DoS a Linux box to death with malloc and
memset, so the RLIMIT_MEMLOCK bug isn't particularly exceptional. All the
others require root anyway.
I'll pass this on to appropriate people, see if we can get this all fixed
up, thanks.
Don't all this illustrate why having the source available for all can be so good for security? I really am so glad I have based my business on an open system. Sure, it may have security problem but at least they are will be found and fixed!grsecurity 2.1.0 and kernel vulnerabilities
I'm sure there are valuable fixes in these patches. I look forward to their inclusion in a future kernel. However, it is good to keep things in perspective. The world did not collapse without these patches. Tone and correctness
> ^ signed int has only upper-bound checked
>> return -EINVAL;
Fascinating, I'd never noticed this part of the standard before but some tests on my machine here reveal you are correct, at least on the version I'm testing (gcc 3.3.2). Any comparisons with unsigned turns both sides unsigned and sizeof() returns unsigned.Tone and correctness
>After a quick look at the bugs listed I have a few questions about some ofusual arithmetic promotions
>the analysis. For example:
>> ^ signed int has only upper-bound checked
>>> return -EINVAL;
>comparisons between unsigned numbers and signed numbers are done as
>unsigned comparisons. In fact, -1 > sizeof(moxaBuff) is true. Therefore
>the comment "signed int has only upper-bound checked" is incorrect. After
>the test we are guaranteed that 0 <= len <= sizeof(moxaBuff). (I am
>speaking about real world C implementations and not theoretically possible
>C compilers.)
and for them your analysis is correct. ANSI/ISO, however, has "value
preserving" promotions, i.e. the compiler tries to find a type that
will represent all possible values of the types of both operands of >
to widen the operands to. Pre-C9X, since 64-bit arithmetic isn't
mandated, given that size_t (the type that sizeof() yields) is an
unsigned 32-bit type, the compiler will fail to find such a type.
I _think_ it ends up using an unsigned 32-bit integer. If C9X, which
requires 64-bit integer types, follows through with value preserving
rules (and size_t is still 32-bit), it may well do the comparison
in 64-bit signed integers, in which case -1 will not be greater than
sizeof(moxaBuff).
usual arithmetic promotions
> ANSI/ISO, however, has "value preserving" promotions, i.e. the compilerusual arithmetic promotions
> tries to find a type that will represent all possible values of the types
> of both operands of to widen the operands to.
the operands can be at most widened to the unsigned version of the type of
the other operand. IOW, the original operand types set an upper limit on
the width of the promoted operands. The relevant section of Teh Standard
follows:
| further conversion is needed.
|
| Otherwise, if both operands have signed integer
| types or both have unsigned integer types, the
| operand with the type of lesser integer conversion
| rank is converted to the type of the operand with
| greater rank.
|
| Otherwise, if the operand that has unsigned
| integer type has rank greater or equal to the rank
| of the type of the other operand, then the operand
| with signed integer type is converted to the type
| of the operand with unsigned integer type.
|
| Otherwise, if the type of the operand with signed
| integer type can represent all of the values of
| the type of the operand with unsigned integer
| type, then the operand with unsigned integer type
| is converted to the type of the operand with
| signed integer type.
|
| Otherwise, both operands are converted to the
| unsigned integer type corresponding to the type of
| the operand with signed integer type.
practical interest (i.e., size_t having conversion rank greater than or
equal to the conversion rank of int), the int operand will be converted to
size_t and negative value will result in an error return.
There's an industry-standard policy for advance notices of vulnerabilites before publication. ORIGINATOR is the person discovering the vulnerability.
RFPolicy
It is important that the ORIGINATOR review any documentation included with the object of the ISSUE for indication of a proper method of contact. That failing, the ORIGINATOR should check the web site of the MAINTAINER for methods of contact. Should the ORIGINATOR not be able to locate a suitable email address for the MAINTAINER, the ORIGINATOR should address the ISSUE to:
secure@[MAINTAINER]
security@[MAINTAINER]
support@[MAINTAINER]
info@[MAINTAINER]
Yes, but apparantly best (or even remotely good) practices don't apply here.RFPolicy
Surprisingly, no one on this entire thread has mentioned
the Kernel Bug Tracker.
Kernel Bugzilla
What is the difference with posting the message to LKML?Kernel Bugzilla for security issues???
What do you think, how much time companies with huge amount of money and dispendable work force need to address user/developer-reported security vulnerabiltities ? Ok, that was a hypothetical question, just thought I remind you of it.time and again... complaining is easy
Maybe I'm missing something. At the top of the kernel source tree:grsecurity 2.1.0 and kernel vulnerabilities
/usr/src/linux/REPORTING-BUGS
/usr/src/linux/MAINTAINERS
Get off your ass and start DIGGING when something isn't posted in a clearly defined way and place.grsecurity 2.1.0 and kernel vulnerabilities
For anyone interested, I found these tidbits of information regarding the method(s) used to post patches for the linux kernel... some of it seems like it was probably written long long ago... and maybe needs some updating, considering I didn't stumble across much with regards to security patches that may be considered (too) sensitive to post on a public mailing list such as the lkml or bugtraq other than #s1-15 mentioning sending an email directly to Linus, which it seems both PaxTeam, and GRSecurity teams did.. possibly Linus didn't feel they were urgent enough to consider a large security hole (as Andrew Morton's comments on lkml suggest, since none are root exploitable, one being a DOS attack, but he suggests much simpler DOS attacks via other methods that aren't considered insecure), so it would seem that the security holes discovered, would be material for the lkml list... mind you, a simple email (as suggested as being a oneliner email) by linus or andrew to either grsecurity team and paxteam respectively, simply stating they should post them to the lkml since they (apparently?) weren't "urgent".grsecurity 2.1.0 and kernel vulnerabilities
Sorry to be late to this, but if I didn't know where to go with Linux, I'd head to either kernel-janitors <http://janitor.kernelnewbies.org/>> or kernelnewbies <http://www.kernelnewbies.org/>> websites (looks like they merged) and ask the question. Of course, the LKML is also a good starting point to ask questions.grsecurity 2.1.0 and kernel vulnerabilities