LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

November: the month of kernel bugs

November 15, 2006

This article was contributed by Jake Edge.

A security researcher has proclaimed November to be the 'Month of Kernel Bugs' (MoKB) and is releasing one bug each day to highlight unreported issues with various kernels. The associated web site currently has six separate Linux bugs listed as well as bugs for MacOS, FreeBSD, Solaris and Windows. The project was first announced on the bugtraq mailing list along with a tool that can fuzz various Linux filesystems.

The Linux bugs described are all filesystem related; they were found using the fsfuzzer tool to generate various kinds of improperly formatted filesystem data and to feed it to the Linux filesystem code. This leads to various kinds of kernel problems, mostly crashes. Bugs have been found in several different filesystem types: ext2, ext3, iso9660, cramfs, and squashfs. The vulnerability found for cramfs actually exists in the zlib decompression code and could potentially lead to arbitrary code execution.

While these bugs are fairly serious, they are also fairly difficult to exploit. Other than iso9660, it is rare that a Linux user will mount a filesystem generated by some external, potentially malicious, entity. USB flash drives might provide a vector for exploiting some of these bugs, but users are hopefully savvy enough to be wary of mounting them if they do not know where they came from. Administrators may also remove the ability for regular users to mount filesystems, especially on sensitive machines such as servers.

Kernel bugs that allow arbitrary code execution are particularly serious because they can provide a way to completely take over the system. If an attacker can convince someone to mount a specially crafted cramfs image, they may be able to cause all manner of mayhem with that system. Attacks targeted at a specific person or company would seem to be the biggest concern as it would be somewhat difficult to use as a vector for a widespread infection; the logistics of distributing thousands of USB keychains to create a Linux botnet would be daunting. The money that could be earned by renting out the botnet, however, might be enough for some, especially if they could find a way to do it anonymously.

Two of the reported bugs against Windows wireless drivers would seem to be of little interest to Linux users, but, unfortunately, that is not the case. As mentioned here, Ndiswrapper is often used to provide Linux 'support' for many wireless adapters and, as Dave Jones points out, this makes Linux potentially vulnerable as well. It may be that the vendors release a fix promptly, but until they do, users of those drivers are vulnerable to attack. And, in any case, propagating a fix in a Windows network driver to a substantial portion of its users is not a simple thing to do.

The MoKB announcement mentions the possibility of 'silent fixes' of these problems; at least so far, that does not seem to be happening. Silent fixes are ones that fix a security problem, but in some way obfuscate the security implications of the fix (or, at least, are not accompanied by a security advisory). Proprietary vendors are well known for this kind of behavior, but one would hope open source developers are more, well, open about those kinds of things. The only fix that seems to have made its way into the kernel so far is for a an ext3/ext4 bug that was found prior to the MoKB. It was clearly described as a crash in the patch and the fsfuzzer tool was referenced. It did not specifically mention it as a security problem, but opinions differ on whether denial of service that is not caused externally should be considered a security issue.

While the fixes are not silent, they also do not seem to be very high on anyone's priority list, either. So far, there do not seem to be patches for any of the MoKB reported issues posted to the linux kernel mailing list. The zlib inflate issue, with its memory corruption potential, would seem like one that should be fixed relatively soon even if its exploit potential is low.

So far, MoKB has produced some interesting bugs, especially on other operating systems. We will be keeping an eye out for any others that might have a bigger impact on Linux users and for fixes going into the kernel. November is only half over.

(Log in to post comments)

November: the month of kernel bugs

Posted Nov 16, 2006 9:53 UTC (Thu) by addw (guest, #1771) [Link]

but users are hopefully savvy enough to be wary of mounting them if they do not know where they came from.

Just find someone who is busy enough and present them with a USB memory stick and they will probably just plug it in. It happens, the vulnerability should not be there.

And why not read the media?

Posted Nov 16, 2006 10:09 UTC (Thu) by eru (subscriber, #2753) [Link]

Just find someone who is busy enough and present them with a USB memory stick and they will probably just plug it in. It happens, the vulnerability should not be there.

Wasn't there a fairly recent report of an experiment by some security researchers who just left USB sticks lying on the street? A surprising number of people picked them up and plugged into their computers out of curiosity.

In a sense this is not at all unreasonable behavour. People think USB is just a piece of media, like a CD record, or simply a leaflet. The idea that merely reading it causes bad things to happen is counterintuitive.

I would argue that any system where you cannot safely insert a medium and mount it is seriously broken.

And why not read the media?

Posted Nov 16, 2006 16:59 UTC (Thu) by ghelmling (guest, #4140) [Link]

There was also the recent case of iPods infected with Windows virii by the manufacturer.

If you can compromise the point of origin for consumer devices, then you do have a potentially very large distribution network.

Of course, it would still probably be far more profitable to focus on Windows exploits than Linux exploits, given the relative size of the target audience, but the same principle applies. I agree that not being able to safely mount media is a serious problem.

And why not read the media?

Posted Nov 16, 2006 20:08 UTC (Thu) by k8to (subscriber, #15413) [Link]

Apologies in advance for my anal retentivity.

The word is viruses.

And why not read the media?

Posted Nov 29, 2006 13:57 UTC (Wed) by rwmj (subscriber, #5474) [Link]

Actually if the iPods were infected deliberately by a program that required the user to run, or ran automatically with an "autorun" mechanism, then the word would be 'trojan' or possibly 'worm' ...

Rich.

And why not read the media?

Posted Nov 16, 2006 21:11 UTC (Thu) by ballombe (subscriber, #9523) [Link]

If you plug an USB stick found on the street, a file system
vulnerability is the least of your worry. The USB stick can
be a device with whatever hidden functionality (exploding when
first plugged, transmit any bit passing throught via wifi to an
attacker, etc.).

And why not read the media?

Posted Nov 17, 2006 8:54 UTC (Fri) by eru (subscriber, #2753) [Link]

The USB stick can be a device with whatever hidden functionality (exploding when first plugged, transmit any bit passing throught via wifi to an attacker, etc.).

A good point. It actually applies to any modern solid-state media, like the various kinds of memory cards used in cameras and such, because they too are active (the system feeds elecricity in them that can run a processor etc.). So is the only kind of safe media the passive ones like tapes, diskettes and CD:s that spin in the drive and are read magnetically or optically? (And even these are not safe if file system code is buggy).

Silent fixes w.r.t open source software

Posted Nov 16, 2006 10:36 UTC (Thu) by dps (subscriber, #5725) [Link]

I think "silent fixes" to open soruce software are usually patches that add features or otherwise change non-security related things and also fix one or more security bugs. What makes the fix silent is that any notes accompnaying the patches fail to mention either the security fixes.

The code is generally obscure enough not to require any more obfuscication that just burying the security fixes in a pile of toher changes.

November: the month of kernel bugs

Posted Nov 16, 2006 13:19 UTC (Thu) by plougher (subscriber, #21620) [Link]

The only fix that seems to have made its way into the kernel so far is for a an ext3/ext4 bug that was found prior to the MoKB

I sent a fix for the cramfs/zlib oops to the LKML on 4th November. This has made its way into the latest -mm tree (2.6.19-rc5-mm2).

I have also fixed the Squashfs oops, and I have made the patch available on RedHat's bugzilla entry for this bug. These fixes will also be in the next Squashfs release (3.2).

That means 3 of the 6 Linux bugs are fixed.

November: the month of kernel bugs

Posted Nov 16, 2006 13:52 UTC (Thu) by plougher (subscriber, #21620) [Link]

So far, there do not seem to be patches for any of the MoKB reported issues posted to the linux kernel mailing list

The cramfs/zlib patch posting

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds