8-year-old kernel security hole found

[Foster Grant]

http://www.theregister.co.uk/2009/08...cal_linux_bug/

Linux developers have issued a critical update for the open-source OS after researchers uncovered a vulnerability in its kernel that puts most versions built in the past eight years at risk of complete takeover.

The bug involves the way kernel-level routines such as sock_sendpage react when they are left unimplemented. Instead of linking to a corresponding placeholder, (for example, sock_no_accept), the function pointer is left uninitialized. Sock_sendpage doesn't always validate the pointer before dereferencing it, leaving the OS open to local privilege escalation that can completely compromise the underlying machine. . . .

"This passes my it's-not-crying-wolf test so far," said Rodney Thayer, CTO of security research firm Secorix. "If I had some kind of enterprise-class Linux system like a Red Hat Enterprise Linux...I would really go check and see if this looked like it related, and if my vendor was on top of it and did I need to get a kernel patch."

Gotta figure new kernel updates coming into the repos, maybe as soon as tonight ...

[Methuselah]

Good.
Open source doesn't have the benefit of 'security through obscurity'.
Since the code is open for public scrutiny best practices must be followed and it makes for better software overall.

[kernelhaxor]

Good.
Open source doesn't have the benefit of 'security through obscurity'.
Since the code is open for public scrutiny best practices must be followed and it makes for better software overall.

Ah good point. A lot of FOSS people argue that there is no such thing as 'Security through obscurity' and FOSS is more secure because its open source, a lot more eyes read the code, somebody or the other would spot vulnerabilities and they would be fixed ..
I think its a never-ending debate ..
I think there is some sense in both arguments, neither is totally right IMO ..

[Bachstelze]

Ah good point. A lot of FOSS people argue that there is no such thing as 'Security through obscurity' and FOSS is more secure because its open source, a lot more eyes read the code, somebody or the other would spot vulnerabilities and they would be fixed ..
I think its a never-ending debate ..
I think there is some sense in both arguments, neither is totally right IMO ..

It basically depends on who gets to read the code. The NSA, for example, have some of the world's best cryptographers behind their walls, so they can afford to keep their algorithms secret. The average company releasing closed source products, however, doesn't, so it would be foolish to buy their products and expect them to have a high level of security.

Then again, open source isn't a guarantee of security either, as this thread demonstrates. Once again, it depends who gets to read the code. I don't mean to offend anyone, but I don't think thousands of Joe Averages make that much of a difference.

[Arup]

Compared to Win and Mac, its really nothing.

Dereferencing uninitialized pointer is worse than a null pointer because one can get valid address easily. Its poor programming and there is no excuse for it.

[gletob]

http://www.theregister.co.uk/2009/08...cal_linux_bug/


Gotta figure new kernel updates coming into the repos, maybe as soon as tonight ...

Great. This is not good for my server uptime. But security fixes are good.

[samjh]

Good thing they've found the error. Bad thing is this will give Linux's opponents ammunition about how using amateurs programmers and volunteers result in poor security, and how FOSS's community development model is not secure.

[Eisenwinter]

Good thing they've found the error. Bad thing is this will give Linux's opponents ammunition about how using amateurs programmers and volunteers result in poor security, and how FOSS's community development model is not secure.

Because of one exploit that's been discovered? Microsoft has hired programmers to develop its products, yet many exploits are continously being discovered for them, even though the source is closed.

[Bachstelze]

The bug involves the way kernel-level routines such as sock_sendpage react when they are left unimplemented. Instead of linking to a corresponding placeholder, (for example, sock_no_accept), the function pointer is left uninitialized. Sock_sendpage doesn't always validate the pointer before dereferencing it, leaving the OS open to local privilege escalation that can completely compromise the underlying machine. . . .

Someone should have paid more attention in C classes. That's really basic stuff: never leave a pointer uninitialized...

[t0p]

Someone should have paid more attention in C classes. That's really basic stuff: never leave a pointer uninitialized...

That should be several someones. The dev who wrote the code, and the various eyes who reviewed the code before it went into the kernel.

Still, never mind. I don't think anyone malicious has taken advantage of it in the past 8 years to bother a box. There's just a proof-of-concept attack, written by the vuln's discoverer Tavis Ormandy, and I don't think anything nasty will result from that as Linus has already written a patch. As long as every potentially vulnerable machine has that patch applied when it's released. Which is nicely taken care of round here by Ubuntu's Update Manager.