User: Password:
|
|
Subscribe / Log in / New account

Local root vulnerability in the kernel

Local root vulnerability in the kernel

Posted May 15, 2013 15:14 UTC (Wed) by fuhchee (guest, #40059)
Parent article: Local root vulnerability in the kernel

"It wasn't seen as a security bug"

There may be an element of wilful ignorance here. https://patchwork.kernel.org/patch/2441281/ clearly said "passed by user-space ... out-of-bounds access".


(Log in to post comments)

Local root vulnerability in the kernel

Posted May 15, 2013 16:31 UTC (Wed) by arjan (subscriber, #36785) [Link]

to a large degree, just about any kind of kernel bug is a security issue; to a large extent that's just the nature/role of the kernel.

I know Spender does not really agree with how the kernel team handles these, but even Spender will likely agree with my first sentence.

GregKH and others handle it by saying "you really should be updating, because we don't know beforehand which of these bugfixes will have an exploit developed". They do not say "the planet is on fire" kind of thing. But the final thing is the same, you SHOULD update.

BTW, this also shows the danger of running older kernels, even if someone is backporting things for you; this bugfix might not have been picked up for backporting because there was no CVE for it.... this one got found and CVE'd so it'll be backported. But there are likely dozens similar changes with similar exposure for which no public exploit exists *yet*.

Local root vulnerability in the kernel

Posted May 15, 2013 16:43 UTC (Wed) by Trou.fr (subscriber, #26289) [Link]

So basically you would like to see every one running the latest kernel from kernel.org ?

Local root vulnerability in the kernel

Posted May 15, 2013 20:23 UTC (Wed) by fandingo (subscriber, #67019) [Link]

Not on the latest release. However, you should be using a kernel that is actively maintained, and you should be using the current version of that maintained series.

Kernel series being maintained (and hosted on kernel.org) are

mainline: 3.10-rc1 2013-05-12
stable: 3.9.2 2013-05-11
stable: 3.8.13 [EOL] 2013-05-11
stable: 3.7.10 [EOL] 2013-02-27
longterm: 3.4.45 2013-05-11
longterm: 3.2.45 2013-05-13
longterm: 3.0.78 2013-05-11
longterm: 2.6.34.14 2013-01-16
longterm: 2.6.32.60 2012-10-07
linux-next: next-20130515 2013-05-15

Local root vulnerability in the kernel

Posted May 15, 2013 16:50 UTC (Wed) by spender (subscriber, #23067) [Link]

Conversely, it demonstrates the danger of running newer kernels. The vuln was not present in older kernels, as newer kernels bring with them not only silent vuln fixes but also new, poorly-tested vulnerable code to exploit. (user namespaces anyone?)

Let's meet in the middle and say it demonstrates the danger of running Linux kernels ;)

-Brad

Local root vulnerability in the kernel

Posted May 15, 2013 17:12 UTC (Wed) by engla (guest, #47454) [Link]

It suggests we need a deeper approach to security, to combat this on multiple levels. The newest kernels have some holes and the older kernels have others.

Local root vulnerability in the kernel

Posted May 15, 2013 19:26 UTC (Wed) by nix (subscriber, #2304) [Link]

You're right in some areas, but here... I'm not sure user namespaces are a good example. If they're configured out there is no security risk, virtually no distro turned them on because many filesystems don't support them yet, they default to off because they're known to be not fully baked yet, and anyone who looks at something tricky and invasive like user namespaces and *doesn't* think 'hey, there are going to be multiple vulnerabilities, or at least horrible bugs, reported here while the design kinks are worked out' hasn't been using software very long.

Local root vulnerability in the kernel

Posted May 15, 2013 17:07 UTC (Wed) by spender (subscriber, #23067) [Link]

I didn't respond to the first part of your post yet.

You are correct that I don't agree with how the vulnerabilities are handled. However, you're incorrect that I agree with your first sentence. I feel that it's a form of a logical fallacy employed to excuse the handling of vulnerabilities.

-Brad

Local root vulnerability in the kernel

Posted May 15, 2013 17:20 UTC (Wed) by faramir (subscriber, #2327) [Link]

>to a large degree, just about any kind of kernel bug is a security issue; to a large extent that's just the nature/role of the kernel.

I would mostly agree with this statement as well, but I would point out that one can subdivide "security issue" into different categories. Here are some possible categories:

1. Denial of service
2. Leaking of privileged information
3. Modification of privileged information
4. Privilege escalation
5. Loss of user data

I would aggregate 2, 3, and 4 into a single bucket because historically they have frequently been found to be equivalent. It seems to me that this was a #3 bug and (again given historical trends) should have been treated as if it was a #4 bug. It clearly wasn't.

Perhaps if kernel programmers attempted to classify bugs using something like the above categories and then treated ones that fell into the more sensitive buckets as if they were security problems, this kind of thing could be prevented. Under the current system, we seem to be assuming that all kernel programmers are also security experts and can accurately assess the security implications of all of their code/bug fixes. This seems a little too much to ask even of them.

Local root vulnerability in the kernel

Posted May 15, 2013 21:03 UTC (Wed) by drag (subscriber, #31333) [Link]

It's not all that honest all the time. Certainly that can be part of it, but it's Linux kernel policy to not bring attention to bugs like this.

This has been brought up many times before on lwn.net.

There are a lot of people working with a lot of companies that market their products as being rather secure. They often see a distinct advantage to not admitting to problems because that makes their products look better when people compare vulnerability lists on places like Secunia.

Local root vulnerability in the kernel

Posted May 21, 2013 1:54 UTC (Tue) by vonbrand (guest, #4458) [Link]

Kernel programmers haven't got the time, nor the training, to try and classify each patch (ranging from wording in a comment, code reorganization for clarity, up to new subsystems) into your four buckets (there are in fact hundreds of other buckets to consider).

Local root vulnerability in the kernel

Posted May 15, 2013 21:33 UTC (Wed) by bojan (subscriber, #14302) [Link]

> GregKH and others handle it by saying "you really should be updating, because we don't know beforehand which of these bugfixes will have an exploit developed".

But that is exactly opposite of what is so often being requested. If developers don't know, that's fine.

The issue is that the problems that are _known_ to have security impact are not reported as such.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds