An ancient kernel hole is closed

Posted Aug 20, 2010 21:12 UTC (Fri) by spender (guest, #23067)
In reply to: An ancient kernel hole is closed by chad.netzer
Parent article: An ancient kernel hole is closed

Here's a question: before entering in a discussion with the PaX Team, did you bother to do any research of your own? Did you, for instance, read Gael Delalleau's 2005 presentation? Did you specifically read slide 24 and onward? Did you bother to read any of the news articles recently that had mentioned that SuSE has had the fix since SuSE Linux Enterprise 9 (released in 2004)? Had you bothered to create the following test application for instance and see how it happily accesses over the stack gap (using gcc 4.3.2 here but it applies to every other gcc version)?

int main(void)
{
char buf[4096];
char buf2[4096];

strcpy(buf2, "hello");

printf("%s\n", buf2);

return 0;
}

You'll notice the beginning of main() gets compiled by gcc to:
lea ecx, [esp+0x4]
and esp, 0xfffffff0
push dword ptr [ecx-0x4]
push ebp
mov ebp, esp
push ecx
sub esp, 0x2014 <--- look here
mov dword ptr [esp+0x8], 0x6 <--- and now here
mov dword ptr [esp+0x4], 0x80484f0

See, if you had done any research, you would have known about this behavior and known why then a single hardcoded guard page isn't acceptable in certain contexts for security. You'd know that Windows and MSVC don't have these problems. You would also have known about the additional hacks Linus added specifically to account for an incompatibility with an LVM app (after the stable kernels were already released and his buggy patch was pushed out without community review, causing oopses on some machines in addition).

From all of these reasons you would have known why the PaX Team objected to the patch itself and the way it was created and could have engaged in a reasonable discussion, yet with no knowledge and no intention of obtaining any on your own (you decided to take it "on faith" that Andrea's patch was used by SuSE) you chose to argue.

Why is it that people like you choose to engage in heated arguments with people who *have* done their research when it's evident that you've done absolutely none? How about taking responsibility for your own actions and behavior?

-Brad

An ancient kernel hole is closed

Posted Aug 20, 2010 21:39 UTC (Fri) by chad.netzer (subscriber, #4257) [Link]

Since you're the expert, is the current kernel fix adequate, or not? If not, what can be done to fix it?

I'm not the one claiming to be the security coding expert, but I *AM* now claiming that some of these experts are apparently an enormous pain to have to deal with.

> you decided to take it "on faith" that Andrea's patch was used by SuSE

I said that specifically *because* that was what PaXTeam claimed and *I* was giving him credit for probably being correct! I was attempting to be cordial on that point. And now you take umbrage, and try to hang me for it...

I'm done. You've successfully shouted down another inquisitor. Thanks for all your efforts with improving Linux security (sincerely; I can see you have enormous talent), but I don't need to put up with your distortions of my meaning, intent, and words.

An ancient kernel hole is closed

Posted Sep 3, 2010 0:20 UTC (Fri) by nix (subscriber, #2304) [Link]

You would also have known about the additional hacks Linus added specifically to account for an incompatibility with an LVM app

Well, the LVM app was doing something sufficiently bizarre that if you'd asked me beforehand, I'd have said of course nobody would do anything like that. (I mean, parsing /proc/self/maps and mlock()ing everything you see? Why not mlockall()? Why would it fail for the guard page yet not for the vdso or vsyscall pages? Well, now we know.)

So, Linus didn't test every single app in the entire world before releasing a security fix. He didn't even test every ramification of every app on his machine. That's simply terrible. He should be publically whipped.