LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

Kernel prepatch 3.9-rc5

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The kernel gets a formal security contact

[Posted March 9, 2005 by corbet]

The Linux kernel has been nearly unique in that it has operated without any sort of formal security organization. Security-related patches would be sent to a (hopefully) relevant maintainer, who would (hopefully) get it merged into the mainline. With luck, distributors would notice the merging of security-related patches and issue the appropriate updates.

The whole system was somewhat unwieldy (though it worked most of the time), but, with this message from Chris Wright, things are beginning to change. There is now an official security contact address - security@kernel.org - which is distributed to a set of "security officers" who will take the appropriate action in response to security-related bugs. The people behind that alias, as of this writing, are Linus Torvalds, Andrew Morton, Alan Cox, Marcelo Tosatti, H. Peter Anvin, and Chris Wright

The posting also includes a disclosure policy, which reads as:

The goal of the Linux kernel security team is to work with the bug submitter to bug resolution as well as disclosure. We prefer to fully disclose the bug as soon as possible. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested or for vendor coordination. However, we expect these delays to be short, measurable in days, not weeks or months. A disclosure date is negotiated by the security team working with the bug submitter as well as vendors. However, the kernel security team holds the final say when setting a disclosure date. The timeframe for disclosure is from immediate (esp. if it's already publically known) to a few weeks. As a basic default policy, we expect report date to disclosure date to be on the order of 7 days.

So the mechanism is now in place. What remains to be seen is how well it works when the next security hole turns up.

(Log in to post comments)

The kernel gets a formal security contact

Posted Mar 10, 2005 19:10 UTC (Thu) by jzbiciak (✭ supporter ✭, #5246) [Link]

The 2.6.11.2 kernel update is a security fix that apparently came from "the security team." Is this the first evidence of the new security contact in action?

Also, I'm wondering if the patch itself is actually "correct." Here it is--it's very short:

--- a/fs/eventpoll.c    2005-03-09 00:13:29 -08:00
+++ b/fs/eventpoll.c    2005-03-09 00:13:29 -08:00
@@ -619,6 +619,7 @@
        return error;
 }
 
+#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event))
 
 /*
  * Implement the event wait interface for the eventpoll file. It is the kernel
@@ -635,7 +636,7 @@
                     current, epfd, events, maxevents, timeout));
 
        /* The maximum number of event must be greater than zero */
-       if (maxevents <= 0)
+       if (maxevents <= 0 || maxevents > MAX_EVENTS)
                return -EINVAL;
 
        /* Verify that the area passed by the user is writeable */

I'm wondering if MAX_EVENTS is defined correctly. On a 32-bit machine, this lets you specify that we can queue up to 2GB of events. Is this a userspace or kernelspace number? What happens if we don't have a 2G/2G split? What happens if we don't have 2G of RAM+swap? (or if it's kernel memory, 2G of physical RAM)?

This still seems like it's a DoS waiting to happen, even if it isn't a "pass an overflowing number so we can stomp kernel memory" waiting to happen, like it was before.

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds