Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
08-13-2009, 06:18 PM
|
#1
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Linux NULL pointer dereference due to incorrect proto_ops initializations
Quote:
Tavis Ormandy and [Julien Tinnes] have recently found and investigated a Linux kernel vulnerability. It affects all 2.4 and 2.6 kernels since 2001 on all architectures. [They] believe this is the public vulnerability affecting the greatest number of kernel versions.
The issue lies in how Linux deals with unavailable operations for some protocols. sock_sendpage and others don't check for NULL pointers before dereferencing operations in the ops structure. Instead the kernel relies on correct initialization of those proto_ops structures with stubs (such as sock_no_sendpage) instead of NULL pointers.
|
Complete Article (Please note that Linus Torvalds commited a patch for this today).
BTW, thanks to Slashdot for covering this.
Last edited by win32sux; 08-13-2009 at 06:21 PM.
|
|
|
08-14-2009, 07:30 AM
|
#2
|
Member
Registered: May 2009
Posts: 36
Rep:
|
Is this a problem that your distro would issue an updated package for? or do you need to fix the problem yourself?
Last edited by bloodsugar; 08-14-2009 at 07:32 AM.
|
|
|
08-14-2009, 07:55 AM
|
#3
|
Moderator
Registered: May 2001
Posts: 29,415
|
Distributions can backport fixes and release an updated kernel package but you can also compile the vanilla kernel.org kernel yourself if you wouldn't want to wait.
|
|
|
08-14-2009, 09:31 AM
|
#4
|
Member
Registered: May 2009
Posts: 36
Rep:
|
Thanks unSpawn.
I have compiled a vanilla kernel from kernel.org in the past, however, I have not applied a fix like this before, Im guessing its a case of copying the file to the correct directory in the kernel source and compiling?
Is there a chance I could screw this up? would I be better off waiting for kernel.org to update their 2.6 kernel and then compiling that?
Last edited by bloodsugar; 08-14-2009 at 09:32 AM.
|
|
|
08-14-2009, 09:53 AM
|
#5
|
Member
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430
Rep:
|
Quote:
Originally Posted by bloodsugar
Thanks unSpawn.
I have compiled a vanilla kernel from kernel.org in the past, however, I have not applied a fix like this before, Im guessing its a case of copying the file to the correct directory in the kernel source and compiling?
Is there a chance I could screw this up? would I be better off waiting for kernel.org to update their 2.6 kernel and then compiling that?
|
kernel.org has applied the fix to the tree yesterday but not all vendors have a fix yet
https://bugzilla.redhat.com/show_bug.cgi?id=516949#c10
here is the recommended red hat fix for the time being. It may work on other distros since its all modprobe changes but not 100% sure. (i dont see why it wont tho)
|
|
|
08-14-2009, 09:57 PM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
Original Poster
|
Quote:
Originally Posted by bloodsugar
I have compiled a vanilla kernel from kernel.org in the past, however, I have not applied a fix like this before, Im guessing its a case of copying the file to the correct directory in the kernel source and compiling?
|
Kind of. You basically download the patch, then run it through the patch program, which will apply the necessary changes to the file(s) in your source code. You can read something like this to get a better understanding of the patching process. It's actually really simple once you get the hang of it.
Quote:
Is there a chance I could screw this up? would I be better off waiting for kernel.org to update their 2.6 kernel and then compiling that?
|
Of course there's a chance you could screw up. BTW, what distro do you use? I ask because your distro will likely be releasing updated kernel packages soon (check with their bug tracker for relevant discussion). For what it's worth, Debian released a patched kernel package today.
Code:
win32sux@stingray:~$ uname -a
Linux stingray 2.6.26-2-486 #1 Fri Aug 14 01:02:21 UTC 2009 i686 GNU/Linux
So it looks like you've got at least three choices: wait for your distro to release an updated kernel package; wait for upstream to release a new stable source tarball; or download the current upstream stable source tarball and patch it on your own. The urgency with which you need to fix this vulnerability should probably be the determining factor.
Last edited by win32sux; 08-14-2009 at 09:59 PM.
|
|
|
08-15-2009, 12:21 PM
|
#7
|
Member
Registered: May 2009
Posts: 36
Rep:
|
Quote:
Originally Posted by win32sux
You can read something like this to get a better understanding of the patching process. It's actually really simple once you get the hang of it.
|
Yeah that looks ok, thanks for the link
Quote:
Originally Posted by win32sux
BTW, what distro do you use?
|
slackware.
there are no packages available yet. I think I'll wait untill monday, and then have a go at it myself.
Thanks
|
|
|
08-15-2009, 04:41 PM
|
#8
|
LQ Veteran
Registered: May 2008
Posts: 7,070
|
Quote:
Originally Posted by bloodsugar
slackware.
there are no packages available yet. I think I'll wait untill monday, and then have a go at it myself.
|
Slackware doesn't always release new kernel packages for vulnerabilities like this one. The kernel in Slackware 12.2 is still 2.6.27.7 despite there being many local vulnerabilities fixed between that and the latest 2.6.27.29. I'm not entirely sure what Pat's criteria is for deciding whether to release an updated kernel package or not.
On the plus side, as Slackware doesn't mess with the kernel, it's relatively straight forward to build your own from the upstream sources, which is what I do.
|
|
|
08-16-2009, 02:16 AM
|
#9
|
LQ Newbie
Registered: Jun 2009
Posts: 18
Rep:
|
Currently I'm running 2.6.29.6-grsec(all grsec and pax options enabled) but what I want to know is, where do I find the following so I can disable them like in the blog?
PF_APPLETALK, PF_IPX, PF_IRDA, PF_X25, PF_AX25, PF_BLUETOOTH, PF_IUCV, IPPROTO_SCTP/PF_INET6, PF_PPPOX, PF_ISDN
|
|
|
08-16-2009, 09:41 PM
|
#10
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
Original Poster
|
Quote:
Originally Posted by MikeQ
Currently I'm running 2.6.29.6-grsec(all grsec and pax options enabled) but what I want to know is, where do I find the following so I can disable them like in the blog?
PF_APPLETALK, PF_IPX, PF_IRDA, PF_X25, PF_AX25, PF_BLUETOOTH, PF_IUCV, IPPROTO_SCTP/PF_INET6, PF_PPPOX, PF_ISDN
|
You could do kernel module blacklisting (such as suggested by Red Hat), but if you're using the latest grsecurity patch for version 2.6.29.6 you're already covered with a proper fix, so this kind of mitigation wouldn't be necessary.
At the time of this post the latest grsecurity patch for version 2.6.29.6 was:
grsecurity-2.1.14-2.6.29.6-200908140946.patch
Last edited by win32sux; 08-16-2009 at 09:55 PM.
|
|
|
08-17-2009, 08:57 AM
|
#11
|
LQ Veteran
Registered: May 2008
Posts: 7,070
|
2.6.27.30 and 2.6.30.5 official kernels have been released and include the fix for this issue.
Time to get compiling...
|
|
|
08-18-2009, 11:49 AM
|
#12
|
Member
Registered: May 2009
Posts: 36
Rep:
|
Is it the case that when upgrading a kernel from say, my current kernel 2.6.30.2, to the new 2.6.30.5, sometimes there wont be any new kernel options when you do 'make oldconfig'?
I do the 'make oldconfig' step and it tells me 'configuration written to .config', and exits.
|
|
|
08-18-2009, 12:37 PM
|
#13
|
LQ Veteran
Registered: May 2008
Posts: 7,070
|
@bloodsugar, Yes, that's not unusual. Especially when only changing the minor version number.
I didn't see any new options when going to 27.30 either.
|
|
|
08-18-2009, 03:04 PM
|
#14
|
Member
Registered: May 2009
Posts: 36
Rep:
|
I see, thanks Gaz,
btw, whats the 2.6.27.30 kernel?
|
|
|
08-19-2009, 01:01 AM
|
#15
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
Original Poster
|
Quote:
Originally Posted by GazL
Slackware doesn't always release new kernel packages for vulnerabilities like this one. The kernel in Slackware 12.2 is still 2.6.27.7 despite there being many local vulnerabilities fixed between that and the latest 2.6.27.29. I'm not entirely sure what Pat's criteria is for deciding whether to release an updated kernel package or not.
On the plus side, as Slackware doesn't mess with the kernel, it's relatively straight forward to build your own from the upstream sources, which is what I do.
|
Interestingly enough, they did release one this time.
|
|
|
All times are GMT -5. The time now is 12:16 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|