LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Kernel prepatch 3.9-rc5

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Linux kernel security

[Posted January 12, 2005 by corbet]

There has been a surprising series of kernel security problems reported over the last week. These include:

  • The uselib() vulnerability disclosed by Paul Starzetz. A locking mistake in an old and mostly unused system call creates a race condition which can be exploited to change protections on memory - and compromise the system. The exploit has not been released, but Mr. Starzetz claims that the race is relatively easy to exploit by first consuming large amounts of memory to force the kernel to sleep in the right spot.

  • Paul Starzetz also discovered a race condition in the page fault handler which can only be exploited on SMP systems. If two threads tried to expand the same downward-growing memory segment at the same time, the result could be an exploitable corruption of the page tables.

  • The grsecurity team, frustrated at a seeming lack of interest in security problems among the kernel developers, disclosed five vulnerabilities at once. One of these is a denial-of-service problem where users could lock more than the authorized amount of memory into physical RAM; as it turns out, the kernel developers still are not overly concerned about that problem. The other vulnerabilities require root access (or at least access to physical devices) to exploit; one of them is in a driver which does not compile in 2.6.

Fixes for the first two vulnerabilities have been merged into the pre-2.6.11 BitKeeper repository; the last set will be fixed as well, but with less urgency. Fixes can also be found in the -ac tree and in the updated kernels being issued by distributors.

One concern that has been raised by these disclosures is that the new kernel development model, by encouraging such large changes between releases, is allowing the creation of more security problems. While that worry could yet prove to be justified, all of the vulnerabilities listed above, with the exception of the RLIMIT_MEMLOCK denial of service problem, are present in the 2.4 kernel as well. They were not introduced or enabled by the new development model.

Another concern is more valid, however: the kernel development project does not have an official security contact or process for handling security problems. Developers who know how the kernel process works have no trouble getting consideration for security-related problems and patches, but the whole process looks far more opaque to the rest of the world. There is a clear need for an easily-found contact for kernel security issues. Chris Wright, who has done a fair amount of security-related kernel work, is pushing for improvements in this area, and, most importantly, has volunteered to do much of the work. So chances are this problem will not last much longer.

(Log in to post comments)

Linux kernel security

Posted Jan 13, 2005 7:15 UTC (Thu) by maniax (subscriber, #4509) [Link]

The uselib() exploit was in fact released, and it's source is even in the original advisory.

Linux kernel security

Posted Jan 13, 2005 10:33 UTC (Thu) by hensema (guest, #980) [Link]

Indeed it is. I haven't been able to make it actually work though. The exploit forks off some threads, eats LOTS of memory, uses a lot of cpu power, and then fails. Again and again.

The exploit does seem to fork off one more thread each time it is run, so it must be doing something to the kernel memory.

However, this exploit won't go unnoticed on your machine. Just watch for huge load spikes.

Official patch repository?

Posted Jan 13, 2005 9:35 UTC (Thu) by planet12 (guest, #4199) [Link]

What I'd really like to see is an area on kernel.org for "official" versions of security patches for stable kernels (ie. the latest of 2.4/2.6 at present).

It's all very nice having someone say "It's in changeset foo in BK tree bar", or "it's in 2.4.33-rc3", but that's awfully fiddly if *all* you want is the security patch for the current stable kernel you're running. I don't know about anyone else, but I'm not in the habit of running -rc versions on production machines.

It's one of those things where a relatively small amount of work for the person merging the patch can save every distributor, big or small, quite a bit of work having to figure it out and backport it.

Official patch repository?

Posted Jan 14, 2005 13:15 UTC (Fri) by kreutzm (guest, #4700) [Link]

I second that. I usually try to get the patches from the advisories, or, e.g., from RedHat RPMS, because then they are self-contained.

Especially if you add other patches (most notably grsec) upgrading is always quite a bit of work. The best way would be to get the patches, slamm them in, adjust if they conflict with previous patches, and rebuild.

Linus and security

Posted Jan 13, 2005 9:42 UTC (Thu) by zorgan (guest, #4016) [Link]

Is it just me who finds Linus attitude shown in the linux-kernel thread
started by Chris Wright a bit irresponsible?
While reading it, I sometimes felt he hasn't realized that Linux isn't his
personal hobby anymore, but that there are millions of user of kernel.org
and vendor kernels, whose security partly depends on responsible handling
of kernel vulnerabilities. So that you shouldn't make them dependant on
your own personal pet views or distaste for some politics.

Linus and security

Posted Jan 13, 2005 13:53 UTC (Thu) by slowjoe (guest, #18834) [Link]

A quote of Linus from the above thread:

(See http://article.gmane.org/gmane.linux.kernel/270044 for the full article.)

<quote>
The only thing I really care about is that we can serve the people who
depend on us by giving them source code that is as bug-free and secure as
we can make it. If that means that we should make the changelogs be a bit
less verbose because we don't want to steal the thunder from the people
who found the problem, that's fine.
</quote>

I suspect that you may be revising your views. Linus takes a strong "let's minimise the window of vulnerability" line. That would appear to be in everyone's best interest.

Linus and security

Posted Jan 13, 2005 17:27 UTC (Thu) by zorgan (guest, #4016) [Link]

But his view is totally inconsistent in this regard. He doesn't realize
users don't want to disclosure to happen until vendor kernels are ready.
First he says he only carer about giving users the most bug-free code
possible, then he says maybe it doesn't matter that the kernel.org kernel
gets security fixes last.

Linus and security

Posted Jan 13, 2005 17:50 UTC (Thu) by jwb (guest, #15467) [Link]

You're projecting your own opinion on the rest of us. I am a user of Linux and I don't give a flying handshake about vendor kernels or their users. It is in the best interest of me and my business to have complete knowledge of all risks associated with the software we use. We need to be perfectly informed to make good operating decisions.

Linus and security

Posted Jan 13, 2005 21:48 UTC (Thu) by zorgan (guest, #4016) [Link]

But his stand doesn't help you in any respect either. His attachment to
his views means he doesn't work with vendor-sec. Which means official
kernel.org kernels get released with known security holes. Check Alan Cox'
emails in the lkml thread.

Linus and security

Posted Jan 14, 2005 5:34 UTC (Fri) by Ross (subscriber, #4065) [Link]

Speaking as a user I could care less about vendor kernels. I want the
fix out as fast as possible. If that means disclosing the vulnerability
or, more likely, giving enough information (from the patch) for someone
to figure it out then that's ok with me. Waiting on vendors could get
very ugly... which vendors first of all. What if one of them takes weeks
to get the patch released? What if they only do quarterly updates? What
about regression testing? I don't want to wait on those things.

Linus and security

Posted Jan 20, 2005 13:32 UTC (Thu) by job (guest, #670) [Link]

As I understand it, he specifically points to the problem that he is not allowed to fix problems too early with the delayed disclosure process. Everbody agrees to wait until the period is over. I for one am very thankful that Linus does not get into that game.

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds