Brief items

Nguyen: CVE-2021-22555: Turning \x00\x00 into 10000$

For those who appreciate detailed descriptions of how to exploit a kernel vulnerability, this report on a netfilter bug by Andy Nguyen should certainly satisfy.

CVE-2021-22555 is a 15 years old heap out-of-bounds write vulnerability in Linux Netfilter that is powerful enough to bypass all modern security mitigations and achieve kernel code execution. It was used to break the kubernetes pod isolation of the kCTF cluster and won 10000$ for charity (where Google will match and double the donation to 20000$).

Comments (3 posted)

A local root kernel vulnerability

Commit 8cae8cd89f05 went into the mainline kernel repository on July 19; it puts a limit on the size of buffers allocated in the seq_file mechanism and mentions "int overflow pitfalls". For more information, look to this Qualys advisory describing the vulnerability:

We discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.

It may not sound like much, but they claim to have written exploits for a number of Ubuntu, Debian, and Fedora distributions. Updates from distributors are already flowing, and this patch has been fast-tracked into today's stable kernel updates as well.

Comments (28 posted)

Security quotes of the week

Even if you feel that the COVID crisis is reason enough to endorse government involvement in social media content takedowns, please consider for a moment the next steps. Today we’re talking about COVID misinformation. What sort of misinformation — there’s a lot out there! — will we be talking about tomorrow? Do we want the government urging content removal about various other kinds of misinformation? How do we even define misinformation in widely different subject areas?

And even if you agree with the current administration’s views on misinformation, how do you know that you will agree with the next administration’s views on these topics? If you want the current administration to have these powers, will you be agreeable to potentially a very different kind of administration having such powers in the future?

— Lauren Weinstein

I don't know where all of this is going right now, but I do know that I've been having conversations along these lines with a bunch of people over the last year or so, and there's a strong feeling that it's time for us to reclaim the open internet. To bring it back to the original vision of the earliest proponents and builders of the open web, in which it was all potential, but with the humility and knowledge of how that power can and will be abused. We can have an internet that empowers people, but not with blind optimism. We can recognize that optimism is warranted, but needs to be tempered with a healthy understanding of where things can go wrong. We can look for ways to enable more people to respond to those challenges, rather than relying on large companies and governments to step in and "solve it" for us -- often with a sledgehammer directed at the foundational things that make the internet such a valuable tool in the first place.

— Mike Masnick

NSO can afford to maintain a 50,000 number target list because the exploits they use hit a particular “sweet spot” where the risk of losing an exploit chain — combined with the cost of developing new ones — is low enough that they can deploy them at scale. That’s why they’re willing to hand out exploitation to every idiot dictator — because right now they think they can keep the business going even if Amnesty International or CitizenLab occasionally catches them targeting some human rights lawyer.

But companies like Apple and Google can raise both the cost and risk of exploitation — not just everywhere, but at least on specific channels like iMessage. This could make NSO’s scaling model much harder to maintain. A world where only a handful of very rich governments can launch exploits (under very careful vetting and controlled circumstances) isn’t a great world, but it’s better than a world where any tin-pot authoritarian can cut a check to NSO and surveil their political opposition or some random journalist.

— Matthew Green comments on reports about spyware from the NSO Group

We’re not going to be able to secure the Internet until we deal with the companies that engage in the international cyber-arms trade.

— Bruce Schneier

Comments (18 posted)

Kernel release status

The current development kernel is 5.14-rc2, released on July 18. Linus said:

At least in pure number of commits, this is the biggest rc2 we've had during the 5.x cycle. Whether that is meaningful or not, who knows - it might be just random timing effects, or it might indicate that this release is not going to be one of those nice and calm ones. We'll just have to wait and see.

In total, 421 non-merge changesets were pulled into the mainline between -rc1 and -rc2.

Stable updates: 5.13.3, 5.12.18, 5.10.51, and 5.4.133 were released on July 19; the large 5.13.4, 5.12.19, 5.10.52, 5.4.134, 4.19.198, 4.14.240, 4.9.276, and 4.4.276 followed one day later. The second set includes the fix for the just-disclosed local root vulnerability. Note that the 5.12.x series ends with the 5.12.19 release.

Comments (none posted)

A GPIO driver in Rust

As an example of what a "real" device driver in Rust would look like, Wedson Almeida Filho has posted a translation of the PL061 GPIO driver alongside the original. For ease of reading, the resulting HTML has been reformatted a bit and placed below; viewing in a wide window is recommended.

Full Story (comments: 73)

Quote of the week

I think that it was back in 2006 when I first told Linus that my goal was to make memory ordering routine. I clearly have not yet achieved that goal, even given a lot of help from a lot of people over a lot of years.

Oh well, what is life without an ongoing challenge? ;-)

— Paul McKenney

Comments (none posted)

Rosenzweig: Reverse-engineering the Mali G78

Alyssa Rosenzweig goes into the details of the reverse-engineering of the Mali "Valhall" GPU instruction set.

Valhall linearizes Bifrost, removing the Very Long Instruction Word mechanisms of its predecessors. Valhall replaces the compiler’s static scheduling with hardware dynamic scheduling, trading additional control hardware for higher average performance. That means padding with “no operation” instructions is no longer required, which may decrease code size, promising better instruction cache use.

A document describing the instruction set has been released, along with an assembler and disassembler.

Comments (16 posted)

Stockfish sues ChessBase

The Stockfish project, which distributes a chess engine under GPLv3, has announced the filing of a GPL-enforcement lawsuit against ChessBase, which has been (and evidently still is) distributing proprietary versions of the Stockfish code.

In the past four months, we, supported by a certified copyright and media law attorney in Germany, went through a long process to enforce our license. Even though we had our first successes, leading to a recall of the Fat Fritz 2 DVD and the termination of the sales of Houdini 6, we were unable to finalize our dispute out of court. Due to Chessbase’s repeated license violations, leading developers of Stockfish have terminated their GPL license with ChessBase permanently. However, ChessBase is ignoring the fact that they no longer have the right to distribute Stockfish, modified or unmodified, as part of their products.

Comments (23 posted)