Lots of new stable kernels

[Posted February 23, 2024 by jake]

Greg Kroah-Hartman has announced the release of seven new stable kernels: 6.7.6, 6.6.18, 6.1.79, 5.15.149, 5.10.210, 5.4.269, and 4.19.307. As usual, they contain many important fixes throughout the kernel tree.

Lots of new stable kernels

Posted Feb 23, 2024 16:06 UTC (Fri) by danielthompson (subscriber, #97243) [Link] (10 responses)

... and it looks like the vulnerability reports have started to flow too:
https://lore.kernel.org/linux-cve-announce/

Lots of new stable kernels

Posted Feb 23, 2024 16:18 UTC (Fri) by wtarreau (subscriber, #51152) [Link] (9 responses)

Yes and for those who were scared about the flood, it's pretty reasonable, on avg 16/day or less than half of the patches, concerning use-after-free, out-of-bounds accesses etc. Let's hope it doesn't take too much effort to classify them, we need upstream developer time more than we need CVEs being filed.

Lots of new stable kernels

Posted Feb 23, 2024 18:00 UTC (Fri) by iabervon (subscriber, #722) [Link]

The initial information in the CVEs seems to be what a developer should provide to potential reviewers, plus what would be needed to backport it to stable series where it is correct. So I'd guess that there was effort to develop the tools, but no additional effort to produce the CVEs with those tools, over following the process.

It would take additional effort to determine possible impacts or mitigating factors or severity, since they want to fix even bugs with the impact "authorized users could cause system corruption by doing an operation that should be safely rejected", so the reports are announced without any of that.

Lots of new stable kernels

Posted Feb 25, 2024 0:15 UTC (Sun) by pbonzini (subscriber, #60935) [Link] (4 responses)

16 per day is several times what Red Hat gets from all other projects together, so it's pretty insane. Plus it seems like the team doesn't really agree on what constitutes a CVE, despite reassurances that it'd be obvious (https://git.kernel.org/pub/scm/linux/security/vulns.git/t...).

Several of the CVE reports also are off pretty bad quality, due to bugs in scripts that cannot handle multi-commit fixes or renamed files.

Lots of new stable kernels

Posted Feb 25, 2024 20:10 UTC (Sun) by roc (subscriber, #30627) [Link] (3 responses)

I skimmed a small random selection of the CVEs and they looked reasonable to me. So I guess even if you could avoid mistakes and disagreements, the count wouldn't change dramatically. If you excluded null pointer dereferences and other denial-of-service attacks, then the count might change dramatically, but I suppose many users do need to treat those as major issues.

To some extent this CVE flow is just reflecting "yes, the Linux kernel is a security disaster".

Lots of new stable kernels

Posted Feb 26, 2024 0:09 UTC (Mon) by geofft (subscriber, #59789) [Link]

I was curious about the null pointer dereferences - it seemed to me that on a system with mmap_min_addr nonzero, a null pointer dereference in the context of a user process (syscall or fault) just causes an oops, which kills the requesting process and nothing else, which is something the process could have done anyway (_exit(1), raise(SIGKILL), etc.) So it shouldn't automatically / inherently be a DoS unless you can e.g. cause it to oops while holding an interesting lock and thereby trigger a deadlock.

But apparently recent kernels panic after 10000 oopses (https://lore.kernel.org/all/20221107201317.324457-1-jannh...), so just running the null pointer dereference ten thousand times is a DoS. And the reason for this is that "harmless" null pointer dereferences commonly increment a counter such as a reference count or the number of holders of a read lock, and if that counter overflows to zero, then an exploit becomes possible. Which seems like a fair argument to me.

At my day job where I'm a sysadmin and an incident responder, I would absolutely count a DoS that takes down an entire running kernel as a security issue: if our systems shut down, we're definitely failing to make money, we might be unable to cancel orders or otherwise communicate with others to get us out of a position where we're losing money, and we're probably breaking contractual commitments to our customers. It's certainly not the highest risk - specially since, if you're at the point where you can attack our kernels, you probably have a form of userspace access we should already be deeply concerned about - but it's definitely on the list somewhere. Hurricanes and pandemics are also "only" DoSes to our business but we still made extensive plans to keep things running through those.

---

I think I see one obviously invalid CVE on this list, CVE-2023-52472: "Static checkers insist that the mpi_alloc() allocation can fail so add a check to prevent a NULL dereference. Small allocations like this can't actually fail in current kernels, but adding a check is very simple and makes the static checkers happy." (The only argument I can see is that it might fail in a downstream kernel that changes how memory allocation works, but if you're going to count the theoretical possibility of downstreams changing things, the entirety of your unchanged code is already a vulnerability.)

Everything else looks like an actual vulnerability with nonzero (though perhaps low) impact - including one that I clicked on because it didn't sound like a vulnerability at all from a subject line but turns out to be reported by the Zero Day Initiative.

Lots of new stable kernels

Posted Feb 26, 2024 17:36 UTC (Mon) by pawel44 (guest, #162008) [Link] (1 responses)

> To some extent this CVE flow is just reflecting "yes, the Linux kernel is a security disaster".

Nope, it just shows they care about security. You can't forget about it when comes to Windows or FreeBSD. They're [in]security disasters.

Lots of new stable kernels

Posted Feb 26, 2024 19:11 UTC (Mon) by roc (subscriber, #30627) [Link]

Why not both?

Lots of new stable kernels

Posted Feb 27, 2024 11:58 UTC (Tue) by bluca (subscriber, #118303) [Link] (2 responses)

That's pretty much the number we used to get in a month for the whole project, so very much not reasonable. On top of it, they are all of dubious quality - for example there's a "CVE" that is just a workaround to silence a static analyzer. I haven't spotted a single reproducer/PoC. It seems the best way to deal with this is to completely ignore the kernel CNA and consider its output at the same level of those bogus CVEs that get raised when a bot goes trawling the git history and files a CVE for every "bug fixed" commit message, and instead continue to rely on external entities doing the job right and pointing out real issues.

Lots of new stable kernels

Posted Feb 27, 2024 19:51 UTC (Tue) by roc (subscriber, #30627) [Link] (1 responses)

You should assume that buffer overruns and use after free are exploitable without a PoC exploit. It's almost always true.

Lots of new stable kernels

Posted Feb 27, 2024 20:44 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link]

> You should assume that buffer overruns and use after free are exploitable without a PoC exploit. It's almost always true.

That may very well be the case but the process here appears to be about scoring political points by overwhelming the CVE process with a lot of filings and then point at it and say see, this is broken instead of an introspective effort to actually address security disclosure issues that the kernel has long suffered from.