Root Privileges Through Linux Kernel Bug 131
Lars T. writes "The H has a story about a Linux kernel bug that allows root level access. 'According to a report written by Rafal Wojtczuk (PDF), a conceptual problem in the memory management area of Linux allows local attackers to execute code at root level. The Linux issue is caused by potential overlaps between the memory areas of the stack and shared memory segments.' SUSE maintainer Andrea Arcangeli provided a fix for the problem in September 2004, but for unknown reasons this fix was not included in the Linux kernel. The bug is not related to the X Server bug found by Brad Spengler."
As the linked article notes: "SUSE itself has the fix and SUSE Linux Enterprise 9, 10 and 11 as well as openSUSE 11.1 through 11.3 do not exhibit this vulnerability."
Unrelated? The PDFs are the same! (Score:4, Informative)
How can the two bugs be unrelated? both articles have the exact same link to the exact same PDF! (Hint: the pdf's filename is xorg-large-memory-attacks.pdf on both).
Re:Unrelated? The PDFs are the same! (Score:5, Insightful)
The memory management issue is the thing that enables using a flaw in the X server to escalate privilege. If you fix the X server to not allow that kind of manipulation, you still have the kernel memory management issue that could be used by some other application to escalate privilege.
I think that fixing the X server - one mitigation is to disable the MIT-SHM extension as discussed in the pdf - really reduces the exposure but since the real problem is in the kernel, it doesn't completely remove the threat.
At least that is how I understand it...
Re: (Score:3, Informative)
I think that fixing the X server - one mitigation is to disable the MIT-SHM extension as discussed in the pdf - really reduces the exposure but since the real problem is in the kernel, it doesn't completely remove the threat.
The shm extension is integral to all modern xorg servers. You *may* be able to run xorg without shm, but many programs will refuse to work and performance will drop to a few percent of what it is with shm enabled. It's the transport the X server uses for communication with its client. With shm (shared memory) disabled, it has to serialize all objects and send them over a socket which of course is dog slow.
Re: (Score:2)
Hmm... It's really the pixmaps that are way faster over MIT-SHM. If you are local than the unix domain socket is not all that much slower, there is an extra copy involved. With the pixmap you can just modify the image directly. Though there was a long time where this was not universal, and when you expected it to work sometimes it did not since the 2D acceleration in the driver broke it since the pixmap was really in framebuffer memory.
But for a long time people have been doing XShmQueryVersion() and only u
Re: (Score:3, Funny)
How can the two bugs be unrelated? both articles have the exact same link to the exact same PDF! (Hint: the pdf's filename is xorg-large-memory-attacks.pdf on both).
The identical links are caused by another bug called PEBKAC.
Re:Unrelated? The PDFs are the same! (Score:5, Informative)
Re:Unrelated? The PDFs are the same! (Score:5, Informative)
Also if you read linus's patch notes [kernel.org] they're the exact same problem.
Re: (Score:2)
Does this really address the problem, won't using something like "int foo, bar[0x10000], baz;" in a function be able grow your stack around the SIGBUS check?
Nothing to see here.... (Score:3, Informative)
Re:Nothing to see here.... (Score:5, Insightful)
I don't agree that it's "nothing to see here" - something has gone wrong if it took 6 years for this to happen.
Re: (Score:2, Funny)
Here at Linux Vintners, we will commit no bug fix before its time.
This properly aged bug fix boasts an intense, highly indented C syntax and fragrant blackberry, vanilla, and dark chocolate comment style with just a hint of peppercorns. Richly textured and firmly structured, its lavish blackberry, ripe black plum, dark cherry and spice flavors are enlivened by crisp lint-warning-free compilations. Given its superb balance of fruit, oak, acid and tannin, this sumptuous contextual patch aged beautifully for 6
Re:Nothing to see here.... (Score:4, Insightful)
Agreed it would be good to know where the breakdown in communication happened. Did it get ignored because the submitter didn't realise it was a security issue and report it as such? Did someone just miss an email somewhere? (and if so why wasn't there a system in place to keep track of current security bugs and make it bloody obvious which ones still needed fixing along with someone responsible for looking at that list and fixing them). Was the breakdown on the SUSE side or the upstream side?
Re:Nothing to see here.... (Score:5, Interesting)
you didn't do it right (Score:5, Informative)
If you really want to get a fix in, the correct procedure is to keep pestering the maintainer for that area until they accept your patch. If you can't get them to accept it, you go up the chain.
Yes, in an ideal world all maintainers would be perfectly organized. In the real world things get lost, they get distracted, other issues pop up, and the patch doesn' t make it in.
If you care about it...make some noise.
Re: (Score:3, Insightful)
But the problem is that often if you know about it, it's not really a big issue to you. If I know about an ugly pothole in the road, I can with little effort drive past it. So why then should I spend my valuable time pestering the road maintainers about it? Granted, maybe not in this specific case as you can't avoid the security hole but bugs in general you can often avoid the condition triggering the bug.
The first time you tell them, then maybe the only reason it's not fixed is because nobody told them abo
Re: (Score:1, Interesting)
"...the correct procedure is to keep pestering the maintainer..." wow, THAT's a screwed up procedure. If I go through the effort of identifying a flaw and submitting a patch and the maintainer doesn't acknowledge my existence, the hell I'm going to keep pestering him...
I mean THAT's the reality of it, it isn't that the maintainer just misplaced the e-mail. E-mails from Linus don't get accidentally misplaced. So why should e-mails reporting and fixing vulns get misplaced? It's BS and it's a little elitist cl
Re: (Score:2)
Isn't it something to see / know about until one gets that fix out to the kernel on our live system(s)? We expect a speedy fix. Now begins the race to get the fix live.
Re: (Score:2)
And I raise a mug of coffee to all my fellow sysadmins this evening. There goes my damned server uptime, and here comes my damned conscious uptime.
Sleep... she is for the weak!
Re: (Score:2, Troll)
Because if you don't have a flashy screensaver going, all the black will cause the damn Windows sysadmin to think that port of the KVM is unused and he can swipe it for another box.
Re: (Score:2)
SSH on a non-standard iptables limited port should be the only way into a Linux server, shouldn't it?
Re: (Score:2)
That's all great, until the switch fails. Let me know when SSH overcomes that whole lack of network connectivity scenario.
Re: (Score:2)
Lets see... there is data on the server that needs to be accessed NOW, not between now and the time switch gets fixed.
Re: (Score:1, Troll)
You see, in the real world, not everything is as pretty as your MS project plan.
Somebody using the term "managing task dependencies," comparing a sysadmin to a Dilbert-style PHB? That's fucking rich.
Re: (Score:2)
Here you go. Here is a real world, just happened to me example of why you need physical access to a server. We have redundant load balancers and redundant switches for our front end web servers. The load balancers glitched and for whatever reason stopped forwarding traffic to one of the virtual IPs. It wasn't enough of a glitch for them to fail over or to throw an alert. The other two VIPs on the load balancers were still working fine. It took me fourty-five minutes to coordinate with the network team
Re: (Score:3, Funny)
That's actually an inside joke. I did have a box that I had originally racked and set up on the rack KVM. Almost 2 years later, I was intending to walk up to the box and boot it in to single user mode to find out that someone had decided we never used the KVM port and had set it up for some other system. When I asked around, the best guess was that I had lost my spot on the KVM at least a year ago. I wondered aloud whether I needed to run a screensaver banner that claimed ownership of the KVM port to ke
Re: (Score:2)
Well, i usually use serial consoles instead of a KVM...
A basic KVM is cheap, but IP based ones are pricey.. Serial consoles are cheap and you can still access them without having to go and stand in the server room.
Plus an IP based KVM uses a lot of bandwidth to transfer screendumps over the network, making it rather useless on a slow link.... Serial is much better in this regard.
Re: (Score:3, Interesting)
Re: (Score:2)
It's needed very occasionally when you want to diagnose why it has lost network connectivity.
Re: (Score:2)
SSH on a non-standard iptables limited port should be the only way into a Linux server, shouldn't it?
On cheap commodity hardware, maybe. On real server equipment you have an out-of-band management controller.
Re: (Score:3, Informative)
It's not, but the Linux kernel is... and that's where the vulnerability is...
Re: (Score:2)
Apparently you need an X server to install and run some parts of Oracle...
Re: (Score:3, Informative)
Race?
The most popular distros already patched it days ago and others are currently in testing.
Redhat patched it 2 days ago [redhat.com].
Ubuntu patched it 2 days ago [launchpad.net].
Fedora is currently testing the patches [spinics.net]. Not sure if it's already live.
Debian Lenny has patched it [debian.org].
Re: (Score:2)
Race?
The most popular distros already patched it days ago and others are currently in testing.
Yes, race. All that is part of it. But that doesn't put the kernal live on any given system. I have to take that step. And, depending on your environment, that may require a bunch of other operational steps.
I'm not making a comment on the difficulty of doing any of this (it tends to be quick and painless in most situations). I'm noting that this is, in fact, news. There IS something to see here. People who are in the position to update a kernal should know about this and know to push it (if they have
Re: (Score:2)
Re: (Score:2)
Re:Nothing to see here.... (Score:5, Insightful)
Nothing to see here? Will you say the same thing when Microsoft waits 6 years to apply a fix to WinXP? :)
Yes, these things are less likely to happen with Linux. That doesn't mean Linux kernel processes are above reproach, and can't be made more responsive & accountable in cases like this where somebody obviously dropped the ball on merging a patch somewhere. I hope they spend a little time reviewing how this got missed, to make sure it's not a flaw in their process that could allow it to happen again.
Re: (Score:2)
Re: (Score:2)
See my post further down..
http://linux.slashdot.org/comments.pl?sid=1760032&cid=33310162 [slashdot.org]
It's already available for download. I gave ubuntu as an example however I'm pretty sure other distributions have also already provided the update too.
Re:Nothing to see here.... (Score:4, Funny)
Re:Nothing to see here.... (Score:5, Funny)
Compare to Apple... (Score:3, Interesting)
Compare this to Apple, which still hasn't fixed my Darwin kernel ring 0 exploit, which I reported in June.
It's x86-only, so no, it can't be used for the second step of an iPhone jailbreak. =(
Re: (Score:2)
By my calculations, this means they've taken 2.5 months, which means they're about 5 years, 9.5 months ahead of schedule if they follow the 6 year benchmark set by the Linux kernel.
What's the problem? They've got plenty of time!
Re: (Score:3, Informative)
If I read the git patch correctly, if said root process has a memory-mapped page coincident with a non-root process, and the non-root process can write to said memory mapped region (via having it memory mapped into their own process), then said non-root process can affect the behavior of the root process.
What was broken, and appears to have been corrected, is that an application's *stack* could grow into a memory-mapped page and corrupt the data in the root process while it's at it. (The stack is a piece of
Re:Wait... what? (Score:5, Informative)
Actually, no, this is a simple Stack Buffer Overflow. Basically, by causing a running privileged process (e.g. X Server) to make a recursive call, the stack will grow into memory space owned by the unprivileged user. Now, all the unprivileged user has to do is put some code somewhere (perhaps by exploiting another buffer overflow) and rewrite the return address, which lives in its memory page.
The fix adds a guard page between the shared memory region and the system stack to protect against the stack growing into memory where it is no longer protected. At any rate, ProPolice would have prevented this mistake from being exploitable.
Re: (Score:2)
Wait...they didn't already have a guard page? I kinda assumed that was already there. Ow.
*marks self down as "needs improvement" in patch reading comprehension skills*
Tuesday (Score:2, Funny)
You're holding it wrong.
Re:Tuesday (Score:5, Funny)
At least we don't have to wait for four Tuesdays' time for the fix...
No, we had to wait over 300 Tuesdays for the fix to the kernal. That's 75 times better!
The Beauty of Open (Score:2, Troll)
Already fixed in Ubuntu (Score:5, Informative)
So I read the PDF...
which is the patch.. "Patch "mm: keep a guard page below a grow-down stack segment" has been added to the 2.6.32-stable tree"
and meanwhile my ubuntu update managaer pops up and shows an update for the kernel and gives the following link to the changelog...
http://launchpad.net/ubuntu/+source/linux/2.6.32-24.41/+changelog [launchpad.net]
Nice to see people are on the ball with security updates, even if it shouldn't have been happened in the first place.
Obligatory... (Score:5, Funny)
This won't be a problem for me since I don't run Linux.
Now the shoe's on the other foot!
A fix that was overlooked (Score:1)
Old news ;) (Score:2)
So in most cases, when i read about bad bugs in Linux it's 'old news'.
(Blatantly ignoring the six years it took to actually get the fix in
Re: (Score:1, Interesting)
Indeed, 5 years old and no exploit. Patched several years ago by the distros. The question is why didn't it get back into the kernel tree.
Re:Linux! "It just works!" (Score:5, Funny)
Why not ask the kernel developers? Nah, I'm not just joking, don't ask those nutjobs anything, they'll just freak out and start yelling at you.
Re: Ask the Kernel Overlords (Score:5, Interesting)
Why not ask the kernel developers? Nah, I'm not just joking, don't ask those nutjobs anything, they'll just freak out and start yelling at you.
I've seen many similar statements, so there may be some truth to this, but my experience is that they give you a short-as-possible only-most-relevant question such as "Can you bisect?" or reply like "Patch rejected: missing signoff". It appears their time is very valuable or they have to pay $5 pr. typed letter.
Re: Ask the Kernel Overlords (Score:4, Informative)
Behold the phenomenal power off Open Source! The time of each and every kernel developer is in fact a highly valuable commodity, yet I get the benefit of the fruits of their labor without shelling out a sixpence! And the best part? This was fixed last week [kernel.org].
Re: Ask the Kernel Overlords (Score:4, Interesting)
Re: (Score:2)
I view this as SuSE seeing the critical nature of the patch and including it irrespective of what Linus or the other kernel team guys think.
That this was not included after submission was a fairly serious error.
Re: (Score:2)
You're lucky to get a "Can you bisect?"
All I got was a "Does it blend?" and a derisive snort.
Re: (Score:3)
Re:Linux! "It just works!" (Score:5, Insightful)
Indeed, 5 years old and no exploit.
How do you know?
Re: (Score:2)
Indeed, 5 years old and no exploit.
You can't be sure of that.
Re: (Score:1, Troll)
I wonder how many bugs like this are lurking in closed source products, just waiting to be discovered and exploited?
Re: (Score:2)
I can audit the code myself, or pay someone else to audit it. Also thousands and possibly millions of people are already auditing it, for free! I can fix the bugs myself, or pay someone to fix them.
Re: (Score:3, Insightful)
I wonder how many bugs like this are lurking in closed source products, just waiting to be discovered and exploited?
I wonder how many bugs like this are lurking in open source projects, just waiting to be discovered and used against people that assume that the software they use is secure because they read Slashdot comments.
Re: (Score:2)
Bugs are apart of software as a whole. Every program open or closed is vulnerable to some kind of bug. The difference being however that with linux bugs I tend to hear about them after I already downloaded the fix. [slashdot.org]
Re: (Score:2)
The difference being however that with linux bugs I tend to hear about them after I already downloaded the fix.
That's called a false sense of security.
Re: (Score:2)
No, it's simply a small piece of evidence that Linux gets fixed faster then windows does.
Re: (Score:2)
Right. Like I said, a false sense of security. Think about the ramifications of what you're saying.
Re: (Score:2, Informative)
Re: (Score:2, Troll)
Then why wasn't the patch submitted to mainline six years ago? Or if it was, why did it take so long to get accepted?
Re:Long live to SUSE??? (Score:5, Informative)
"SUSE maintainer Andrea Arcangeli provided a fix for the problem in September 2004, but for unknown reasons this fix was not included in the Linux kernel"
Re: (Score:2, Insightful)
No, normally access to the machine at user level should not imply access to the machine at root level.
Re: (Score:2)
Re: (Score:3, Interesting)
Re:ZOMG!!! (Score:4, Insightful)
What part of "local attackers" do you fail to understand?
Re:ZOMG!!! (Score:5, Funny)
Cut the guy a break, he's a Windows fanboy. He probably thinks a local user is just anyone in the same geographic region.
Re: (Score:3, Insightful)
He's a troll, but that doesn't mean that there isn't a grain of truth to what he implies. Most Windows exploits are also technically local attacks, as are Trojans (by definition). Somebody thinking that they're safe (because the software runs with limited permissions) would be in for a nasty surprise if an attacker exploited this.
Re: (Score:2)
A vulnerability in a graphics-decoding library used by IE is a local exploit, but it can be used by remote attacks who embed a malicious image in a website or email. That would meet exactly the description you gave, for the way that MS words their patch notes.
Just because a vulnerability is local doesn't mean it can't be triggered remotely. It simply means that something needs to be done on the local machine - such as visiting a web page, reading an email, or running a supposedly safe command - for an explo
Re: (Score:2)
Re: (Score:1, Troll)
And just 4 days after you posted this, this happens.. Windows DLL Vulnerability Exploit In the Wild [slashdot.org]. The best part being, the linux security bug got fixed already, whereas the windows exploit is already out there on machines and makes 1000s of windows apps insecure.
Just enough time for me to come back and gloat. Linux 1, Windows 0.
Re: (Score:1)
a redundant first post...?
Re: (Score:3, Funny)
a redundant first post...?
Yes, there was a redundant x in "h4xx0r5".
Re:Wow! Linux is really Secure. (Score:5, Insightful)
Look at this graph: http://linuxinsecurity.blogspot.com/ [blogspot.com]
Please do. Notice how the graphs show Windows with 10-12% of the issues unpatched?
That's the problem. Well that and the missing graph showing "time to patch"...
Re: (Score:3, Informative)
Yes, something is seriously wrong with this comparison. You compare a clean and unused operatingsystem with a fullfledged Linuxdistribution with a lot of applications.
Of course the Linuxdistribution will have more bugs, but you dont have to install all the software that comes with it. On the other hand, to be able to use the Windows server to something useful, you have to install more Microsoft and/or thirdparty software. It isnt even a webserver without installing more software in Secunias statistics. I
Re: (Score:2)
Also that full fledged linux distro has a single update mechanism for all of the applications... If you install equivalent apps on a windows system chances are they will need their own separate update mechanisms, or not have an update system at all, which massively increases the chance of unpatched apps being present.