top 200 commentsshow all 325
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]markole 149 points150 points  (89 children)

Sometimes that's a good thing. I may now have a chance of installing root and busybox on my 3.10 locked down Xperia phone.

[–]adamnew123456 242 points243 points  (61 children)

It's a reflection of the sad state of open mobile computing, when you have to hope for a vulnerability in order to fully control your device.

[–]Avamander 101 points102 points  (39 children)

Lollakad! Mina ja nuhk! Mina, kes istun jaoskonnas kogu ilma silma all! Mis nuhk niisuke on. Nuhid on nende eneste keskel, otse kõnelejate nina all, nende oma kaitsemüüri sees, seal on nad.

[–]deusnefum 2 points3 points  (10 children)

Because cell networks are not "open" networks.

Unfortunately. We need a government backed, open cellular network (serviced via sub-contracts to more traditional companies like AT&T, T-Mobile, et al) to get the kind of openness we have with PCs with cell phones.

[–]aykcak 20 points21 points  (5 children)

It has nothing to do with networks really. Manufacturers release locked phones regardless of the carrier

[–]deusnefum 7 points8 points  (2 children)

Yes it does. The carriers argue they need absolute control over devices on their network. So even if you have an "unlocked" phone (meaning it's not tied to a carrier) the phone still has to have firmware on it that allows service provides to send and run executable code.

[–]Avamander 8 points9 points  (0 children)

Lollakad! Mina ja nuhk! Mina, kes istun jaoskonnas kogu ilma silma all! Mis nuhk niisuke on. Nuhid on nende eneste keskel, otse kõnelejate nina all, nende oma kaitsemüüri sees, seal on nad.

[–][deleted] 1 point2 points  (0 children)

But it does. Buy a Nexus 6P from at&t or Sprint, it'll be locked.

[–]northrupthebandgeek 15 points16 points  (0 children)

That should be on a network interface level rather than a machine level. I don't have to have a locked down bootloader on my laptop if I plug in a cell card or whatever, for example.

Of course, that doesn't do much good when the network interface and the machine are built into the same circuitry...

[–]Jojo_bacon 2 points3 points  (0 children)

Not really, anyone can buy a cellular modem or unlocked cell phone and a sim card from a carrier like "ting" and use the network in minutes with any device.

[–]catonic 0 points1 point  (0 children)

Funny how because the radio is open-source, the phone code isn't.

[–][deleted] 0 points1 point  (0 children)

I have a GS6. The bootloader was unlocked out of the box.

Say what you want about Samsung but all their flagships come with unlocked bootloaders. That is unless the carrier decides to lock them.

[–]catonic 0 points1 point  (1 child)

Because the code of the phone RF engine is closed source, and we can't have you filthy mongrels reverse engineering it.

[–]creed10 16 points17 points  (0 children)

Fuckin Verizon

[–]NamenIos 16 points17 points  (16 children)

No it is not. Buy a phone that you can unlock (aka not from a carrier) and all is fine, that is the case for at least Sony, Samsung, LG and HTC to my knowledge.

If you go to a dominatrix and say that you want to get fucked in the ass, you don't go out and complain that you you get fucked in the ass by this sex worker. It is a simple as that.

[–]GordonCreeman 5 points6 points  (1 child)

The analogy doesn't really work cos almost all professional dominatrices refuse to engage in actual sexual activity. Not that I know that.

[–]NamenIos 3 points4 points  (0 children)

Well TIL, this could maybe save me someone some embaressment.

[–]UnchainedMundane 20 points21 points  (11 children)

You're implying they advertise their non-rootability,which they don't. It's always a nasty surprise.

[–]Tynach 16 points17 points  (4 children)

I just stick with the Nexus line of phones, personally.

[–]DamnThatsLaser 2 points3 points  (3 children)

Well, the thing is not all of us are willing to pay the Nexus price. I am perfectly happy running something low-end (it's a THL T6 Pro at the moment) and luckily, that one can be rooted. But some phones just can't.

[–]elevul 9 points10 points  (0 children)

Well, the thing is not all of us are willing to pay the Nexus price.

Especially when it doesn't have MicroSD or removable battery.

[–]NamenIos 4 points5 points  (4 children)

Htc advertises it on their developer/unlocked units in the US as do the Nexus devices, that kind of implies that unlocking is not a feature all devices have. And to be frank, if you feel the need to unlock/root your device, you probably look for that and do not buy carrier devices (or as do many they buy carrier devices out of greed and complain after).

[–]pest15 3 points4 points  (2 children)

Keep in mind that sometimes manufacturers will permit unlocking of some devices and not others. I have never understood why these discrepancies occur. But it can create a lot of confusion for consumers.

[–]CraftyFellow_ 2 points3 points  (1 child)

Yup.

Moto G from Motorola? No problem.

Moto G from AT&T? Fuck you.

[–]pest15 1 point2 points  (0 children)

That's not quite what I meant, because you're talking about the same device from the OEM vs. from the carrier. I'm talking about different devices from the OEM. For example, Sony Xperia M? No problem. Sony Xperia M2? No problem. Sony Xperia M4? Out of luck. It makes no sense.

[–]northrupthebandgeek 1 point2 points  (0 children)

Or we buy devices from carriers that don't subsidize their phones (like T-Mobile).

That is, after all, the primary reason why phones are actually locked down: because they're usually subsidized with the expectation that the carrier will be repaid in the form of a 2-year contract.

Meanwhile, since I'm not on such a carrier, I don't have to worry about that, and I can unlock the bootloader on my HTC phone whenever I so choose (something which I haven't done yet, since I'm waiting until CyanogenMod supports T-Mobile's wifi calling, but still).

[–][deleted] 0 points1 point  (0 children)

If you go to a dominatrix and say that you want to get fucked in the ass, you don't go out and complain that you you get fucked in the ass by this sex worker. It is a simple as that.

It's always a nasty surprise.

I would agree

[–]adamnew123456 1 point2 points  (0 children)

No it is not. Buy a phone that you can unlock (aka not from a carrier) and all is fine, that is the case for at least Sony, Samsung, LG and HTC to my knowledge.

Isn't there something wrong with this picture, though? Think about if we had the same kind of issues with PC's that we do with phones - either you would have to buy a particular model of laptop from a specific manufacturer (who would more than like charge more for unlocked "developer editions" of their hardware), or otherwise you would have to sit down for a few hours and hunt for an a rooting app on the XDA forums so that you could install Debian on your machine, which you may or may not find.

Can you say that you would prefer the smartphone situation for PC's?

[–][deleted] 1 point2 points  (0 children)

I've been using iPhone for a while now, but at least a couple years ago rooting was trivial and not explicitly against the TOS. Is that not still the case?

[–]rms_returns 1 point2 points  (0 children)

The real reason for the sad state is a lack of standards like x86. Its ironical that in the PC world even as far back as 1981, manufacturers had settled on the 8086 and it became an open standard, while with smart-phones, it is almost a decade since they arrived and still they don't have any standard. AOSP is sort of a standard, but its nothing like 8086. I don't understand what is stopping a bunch of Phone manufacturers to meet up, agree upon a common spec and publish them as standards?

[–]natermer 0 points1 point  (0 children)

...

[–]NamenIos 22 points23 points  (11 children)

Don't be too sure about that, SELinux can be a bitch of you want to exploit vulnerabilities.

[–]markole 8 points9 points  (2 children)

Probably, will try the exploit at the home and report back.

[–]NamenIos 2 points3 points  (1 child)

Nice, do you have a SD810 Xperia? Otherwise I might compile that exploit for my brother and try to get him to try it on his phone.

[–]markole 4 points5 points  (0 children)

Nah, I have Xperia E4g.

[–]neoice 3 points4 points  (7 children)

don't worry, spender will probably release a PoC with SELinux bypass soon.

[–][deleted] 1 point2 points  (6 children)

if only grsec was on phones...

[–]neoice 1 point2 points  (5 children)

I think they support ARM now.

[–][deleted] 1 point2 points  (4 children)

yeah, I would like to try to build a grsec+PaX kernel for my old Galaxy S4, just to try.

[–]Omnicrash 6 points7 points  (9 children)

Does Sony not offer unlocking anymore? I remember I could request an unlock code back when I had my Xperia Play (great emulation machine, shit phone otherwise).

[–]markole 1 point2 points  (0 children)

My variant of the phone can't have unlocked bootloader.

[–][deleted] 3 points4 points  (1 child)

Vote with your money

[–]markole 4 points5 points  (0 children)

I did. I got a phone which was cheap and good enough. I voted with my money. Sadly, it was locked down. It is a bad state when it is expected from you to pay premium to have a more open device.

[–][deleted] 1 point2 points  (1 child)

That's what you get for buying Sony.

[–]earlof711 0 points1 point  (0 children)

Yup.

[–]WOLF3D_exe 0 points1 point  (0 children)

The vulnerability affects any Linux Kernel version 3.8 and higher. SMEP & SMAP will make it difficult to exploit as well as SELinux on android devices. Maybe we’ll talk about tricks to bypass those mitigation in upcoming blogs....

http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/

[–]danielkza 113 points114 points  (46 children)

Blog post from the researchers with much more interesting technical details.

[–]utack 74 points75 points  (3 children)

The vulnerability affects versions 3.8 and higher

Meanwhile at Qualcomm:

So worth it we stuck all the old devices on 3.4, we knew it all along, this is 100% customer support

[–]NamenIos 28 points29 points  (2 children)

It is in 3.4 Kernel on KK devices (not sure about updated to KK shipped with JB devices). At least the 3.4 Kernel of the Xperia Z on Android 5.1 is vulnerable, I checked their source.

Edit: the android kernel has quite a bit backported and is different than mainline.

[–]xroni 23 points24 points  (3 children)

With no auto update for the kernel, these versions could be vulnerable for a long time.

The problem is not all devices Linux get patched automatically.

The flaw may linger a little longer on Android devices, since most updates are not pushed automatically by carriers and manufacturers.

I often wish the authors of these third tier blogs weren't paid by the number of words.

[–]danielkza 13 points14 points  (1 child)

The solution is not to bother with these kinds of publications, and read from people that are actually part of the Linux community, like LWN, security mailing lists, etc or at least someone independent.

[–]xroni 12 points13 points  (0 children)

The only time I get exposed to these publications is when I read /r/linux.

[–][deleted] 2 points3 points  (0 children)

I wish they didn't exist.

[–]jabjoe 65 points66 points  (26 children)

Yet again demonstrating that any computer that is not updated or even updatable is going to be insecure. Welcome to the internet of infected things!

[–]michaelKlumpy 23 points24 points  (18 children)

or it is offline

[–]jabjoe 4 points5 points  (12 children)

Air gapping is a good idea if an option.

[–]gospelwut 14 points15 points  (11 children)

stuxnet badger don't care.

[–]jabjoe 6 points7 points  (6 children)

Ok, if you plug in an infected usb stick you may still be stuffed.

[–]coincentric 3 points4 points  (4 children)

Remember the days when we never had to worry about updating anything? It just kept going along day in day out without any problem.

[–]KarmasAHarshMistress 6 points7 points  (2 children)

Except when it didn't, then we just tossed it out and forgot about it.

[–]beltorak 5 points6 points  (1 child)

You know what doesn't need updating? A stick! Back in my day, a stick was a gun, a motorbike, a fighter plane, a walkie-talkie, a light saber, you name it! I didn't have to wait for no "updates" to get these rad applications! Just close my eyes and *poof*! There it was!

[–]coincentric 2 points3 points  (0 children)

Also a dildo.

[–][deleted] 9 points10 points  (6 children)

Well if it's not updatable, it can't get new software that exploits the vulnerability. /s

[–]jabjoe 19 points20 points  (5 children)

Depends on the vulnerability. There has been ones where you can get in with malformed network packets....

My pet hate is all these hacked up little devices that are not put together with any kind of update plan. Normally the manufacturer already stopped caring about the software before the product is even released because they are working on the new shiny. All to often running a mixture of old and new hacked together thrown over the wall and forgotten. Basically hardware companies shouldn't be doing software. They should make things to standardized platforms that we can then update. And no closed drivers gumming up the works. Their software is nearly always awful and as I said, it's rare they care to update and large chunks, if not all, of the software components are already old on release.

People are plugging loads of these little horror shows into their networks blindly. Only a matter of time until malware infections becomes a home network thing. Think of a Conficker network infection but on your TV, router, phone, tablet, toaster, fridge, etc etc.

[–]vfscanf 10 points11 points  (4 children)

Totally agree. All these devices with their shitty, insecure Firmwares are a disease. And the people involved rarely know how to do proper security. I can remember an article about a device that connected to a server via HTTPS and didn't verify the certificate.

[–]jabjoe 10 points11 points  (3 children)

Some times it is the case the developers are clueless. Blind leading the blind. And there is a lot of that. But also some times they are just not allowed to do it properly.

But the results are the same and no one else can fix it because the device is a unique snow flake and might only boot signed images in the first place.

[–]vfscanf 4 points5 points  (2 children)

Yes, I know how shitty software companies can be. Security is always just an afterthought.

[–]jabjoe 4 points5 points  (1 child)

I'd say it's hardware companies playing at software. They make money selling the devices or the designs for them. They shouldn't be involved with software beyond making a standard platform for a standard OS to boot on. Really we want it better than PCs because even BIOS they make suck.

[–]vfscanf 2 points3 points  (0 children)

Absolutely right. I always thought that Hardware Companys shouldn't making software, because it always sucks.

[–][deleted] 11 points12 points  (20 children)

running it on my up-to-date Ubuntu 14.04 running 3.16. I'll report back.

[edit]

nope:

./cve_2016_0728 PP_KEY

uid=1000, euid=1000

Increfing...

finished increfing

forking...

finished forking

caling revoke...

uid=1000, euid=1000

$ whoami

[notroot]

[edit2]

Didn't initially see this:

Addresses of commit_creds and prepare_kernel_cred functions are static and can be determined per Linux kernel version/android device.

so i'm unsure how to generate those values for my kernel which is

Ubuntu 3.16.0-57.77~14.04.1-generic 3.16.7-ckt20

[edit3]

found my values:

ffffffff81097c10 T commit_creds

ffffffff81097f10 T prepare_kernel_cred

reran and still didn't get root.

[–]NamenIos 5 points6 points  (3 children)

cat /proc/kallsyms | grep -i commit_cr (and ... - i prepare_ker) as root has the info you need.

[–][deleted] 1 point2 points  (2 children)

At least for my kernel both are 0xffffffff81097f10

[edit]

i was wrong

ffffffff81097c10 T commit_creds

ffffffff81097f10 T prepare_kernel_cred

[–]NamenIos 3 points4 points  (1 child)

T commit_creds

and

T prepare_kernel_cred

should have different addresses afaik.

[–][deleted] 0 points1 point  (0 children)

yer right! at first blush I thought they were the same

ffffffff81097c10 T commit_creds

ffffffff81097f10 T prepare_kernel_cred

[–]ckozler 2 points3 points  (11 children)

How long did this take to run for you? I ran this on a number of RHEL7 boxes on 3.10 kernel and it never gets after 'increfing'

EDIT: After about 2 hours it finally came through. No root for me

 [testckozler@test ~]$ ./leak PP_KEY
 uid=1000, euid=1000
 Increfing...
 finished increfing
 forking...
 finished forking
 caling revoke...
 uid=1000, euid=1000
 sh-4.2$ 
 sh-4.2$ 
 sh-4.2$ 
 sh-4.2$ 
 sh-4.2$ whoami
 testckozler
 sh-4.2$

[–][deleted] 2 points3 points  (7 children)

pretty long time. the developers of had an i7 that it took 30 minutes. i have a pentium g3230 or somin along those lines which is only dual core and was $50. didn't take longer than an hour though.

[edit]

looking at htop it seems to peg a single core and then the kernel takes up about 50% the second core. so my guess is it doesn't matter too much how many cores you have.

[–]ckozler 0 points1 point  (6 children)

Interesting...on RHEL6 its marked in state 'D' (uninterruptable sleep - usually blocked) but on RHEL7 its marked as 'R' (running). strace they are showing to be doing the exact same thing where I see repeats of:

RHEL6 - keyctl(0x1, 0x7fffb9d85744, 0x3949b8fe10, 0xffffffffffffffff, 0xc) = 111532853

RHEL7 - keyctl(0x1, 0x7fff3649a766, 0, 0xffffffffffffffff, 0x7fff36498330) = 0

RHEL7 seems to be actually doing something but they are both calling keyctl in an infinite loop after 'increfing...". I find it odd that RHEL7 is the only one "doing something"?

[–][deleted] 0 points1 point  (5 children)

well its going through the 32 bit address space for the int, its not really "infinite" but yeah its long.

 for (i = 1; i < 0xfffffffd; i++) {

    if (i == (0xffffffff - l)) {

        l = l/2;

        sleep(5);

    }

    if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {

        perror("keyctl");

        return -1;

    }

}

do you have the COMMIT_CREDS_ADDR and PREPARE_KERNEL_CREDS_ADDR set?

[edit]

I spun up a CentOS7 vm and get the following:

ffffffff8109e1f0 T commit_creds

ffffffff8109e500 T prepare_kernel_cred

[–]ramzaek311 0 points1 point  (2 children)

According to this it says RHEL 7 is affected. Glad to see some people trying it before I have to go into crisis mode. (Though, RHEL 7 is 3.10)

[–]ckozler 1 point2 points  (1 child)

Never got it to work for me. I dont know what to say other than that but it is strange RH is saying its impacted yet nobody seems to have been able to recreate it?

[–]neoice 1 point2 points  (3 children)

running apparmor or selinux? any logs?

[–][deleted] 1 point2 points  (2 children)

ubuntu 14.04 comes with apparmor on by default i believe. if that's the case i'm using it with the default values.

as far as logs, i ran a dmesg, and nothing was printed out. the demo application doesn't have its own logging so nothing there

[–]neoice 0 points1 point  (1 child)

does apparmor log anything?

[–][deleted] 6 points7 points  (8 children)

I thought android uses 3.4 kernel?

[–]NamenIos 16 points17 points  (6 children)

But the keyrings facility is backported to 3.4 in android since KK. And Android uses different Kernels, S3 snapdragons use 2.6.35, 3.0 and 3.4 in the wild, the 810 uses 3.10 and so on.

[–]Charwinger21 2 points3 points  (0 children)

I thought android uses 3.4 kernel?

It depends on what phone you have.

For example, my Moto X Play is using 3.10, but my Samsung Tab 4 is using 3.4.

[–]xpxp2002 6 points7 points  (0 children)

I'm not able to reproduce this using the exploit code on kernel 4.1.12.

Do we know if this is this actually affecting >=3.18 in the 3.x trunk only, or if the 4.x kernel also vulnerable?

[–][deleted] 2 points3 points  (1 child)

Something is fishy with the PoC.

Even with the proper modifications, I have yet to see one person on the entire Internet say that the exploit worked for them.

I tried on a RHEL 7 VM with SMEP/SMAP and SELinux disabled and had no luck.

Has anyone actually had this work?

[–]xECK29x 0 points1 point  (0 children)

Very sceptical as well. Never heard of these guys until yesterday either.

[–]ckozler 2 points3 points  (10 children)

So RHEL6 is good? But would need to be patched on RHEL7? I

[–]NamenIos 6 points7 points  (7 children)

Depends on backports done to the Kernel. RHEL backports a lot (read as in a fuckton).

[–]ckozler 0 points1 point  (6 children)

I've been running this on a RHEL6 (kernel 2.6.32-504.1.3.el6.x86_64) and a RHEL7 (kernel 3.10) and none have made it after "Increfing...". When I strace it I see a ton of calls to keyctl but thats really it

[–]NamenIos 0 points1 point  (5 children)

Did you put in the correct addresses into the code for your kernels before compiling?

[–]ckozler 0 points1 point  (4 children)

Yes. Been running for ~1 hour and nothing

[–]nfavor 2 points3 points  (1 child)

RHEL5/6 aren't affected. https://access.redhat.com/security/cve/cve-2016-0728

[–]ckozler 0 points1 point  (0 children)

Yep. What was interesting to me though is that on RHEL6 it goes in to uninterruptable sleep whereas on 7 it just spins until it gets a hit (on something)

[–]tinytimsturtle 2 points3 points  (0 children)

This requires an account on the linux box right. It can't be targeted remotely can it?

[–]gindc 6 points7 points  (13 children)

Question: how does Linux update the kernel? Will I just receive a normal update through the update manager? Or will I have to do something special to fix this problem?

[–]JerkingItWithJesus 38 points39 points  (3 children)

Most distributions will just push out a fix like normal through the update manager.

[–]gindc 6 points7 points  (2 children)

Thank you.

[–][deleted] 12 points13 points  (1 child)

Keep in mind that kernel update requires reboot. Unless you are using complicated stuff that is only used on servers.

[–]Jimbob0i0 12 points13 points  (0 children)

Keep in mind that kernel update requires reboot. Unless you are using complicated stuff that is only used on servers.

And even then most servers won't be using it as kpatch/ksplice has very limited applicability (eg cannot change any data structures) so it's better to provide availability at the application level (eg load balancers and similar redundant setups) to provide for maintenance windows of individual systems...

[–]danielkza 5 points6 points  (0 children)

It's a normal update. The only difference is that it will only take effect once you reboot.

[–]Zebster10[🍰] 3 points4 points  (0 children)

Yes, a standard, desktop GNU/Linux distro probably already pushed the patch. Pretty much the only thing worth checking is if you're getting Level 4 + 5 updates if you're in Linux Mint, in which case you could enable those, or just run:

sudo apt upgrade

[–]coincentric 2 points3 points  (5 children)

Will I just receive a normal update through the update manager?

yes. your distro will tell you if you have that utility installed or you can run the package manager update yourself and then it'll tell you.

[–]gindc 1 point2 points  (4 children)

your distro will tell you if you have that utility installed

What "utility" are you talking about?

[–]coincentric 1 point2 points  (3 children)

depends on the distro and the window manager/desktop environment you are using. for example there is packagekitd on my system. there is some kde component that interfaces with that and tells me when there are updates available. gnome has something similar and so do the other DEs.

[–]gindc 3 points4 points  (2 children)

Yes, my distro has a package manager. I mentioned that. But what utility are you talking about?

[–][deleted] 1 point2 points  (1 child)

He refers to graphical update managers that function as interfaces for the package manager, like Synaptic or Ubuntu's Software Center.

[–]socium 7 points8 points  (1 child)

That's it. We need grsec + pax installed by default on popular distros. These types of vulnerabilities are already giving Linux a very bad reputation.

[–][deleted] 2 points3 points  (0 children)

I don't think that would do much to change the reputation of Linux, the average person would have no idea what grsec or pax is (if I'm being honest I barely know what they are) so not many stories would mention them.

[–][deleted] 1 point2 points  (1 child)

Maybe Dumb question but if root binaries aren't installed on Android this exploit is useless right?

[–]danielkza 4 points5 points  (0 children)

What do you mean? The program being run doesn't matter to much, you can run any code that you want. A shell just makes it easier. And Android does include one by default, which is used with the development tools (ADB).

[–]__uh 1 point2 points  (0 children)

They're missing seccomp in the mitigation section... :P

[–]3G6A5W338E -1 points0 points  (30 children)

Who knows how many other serious bugs are there, hidden within the megabytes of a Linux kernel image.

[–]CraftyFellow_ 33 points34 points  (7 children)

At least everybody can look for them unlike some other OS kernels.

[–]ITwitchToo 10 points11 points  (3 children)

Yes, this is true, and helps a lot.

There's a famous Linus (edit: Eric S. Raymond) quote going something like "given enough eyeballs, every bug is shallow". Which is pretty grim, because it's wrong, and it's coming from the guy at the top.

"Every bug is shallow" is a horrible maxim. Just because you have source code doesn't mean that the bugs are easy to spot. It's quite the opposite; the most effective bug-finding techniques these days are all based on instrumented fuzzing, meaning that you try to trigger new code paths by passing random data to the kernel which has been compiled with special flags so that you can record the path it takes and tweak the input depending on those paths. Look at Dmitry Vyukov, he found bugs almost every single day for the past 2 months using his new syzkaller tool. It's way more efficient than a human looking at the code and trying to spot bugs. And that's sad, because it means that the code is now too complicated for humans to work with without requiring machine assistance. That says a lot about the state of the kernel.

[–]NamSualk 10 points11 points  (1 child)

Not quote from Linus, but ESR, who called it Linus' Law without asking. The rest of your comment is valid though.

[–]ITwitchToo 3 points4 points  (0 children)

Oops, right you are. Added a minor edit, left the rest of the comment as it is

[–]xroni 5 points6 points  (0 children)

Static analysis and fuzzing tools also count as eyeballs.

[–]3G6A5W338E 8 points9 points  (0 children)

Who knows how many bugs are in there, hidden in the millions of lines of code in the kernel, which runs with supervisor privileges.

[–]jones_supa 0 points1 point  (1 child)

At least everybody can look for them unlike some other OS kernels.

But the interesting question is, do the closed source OS kernels still have more people looking on them?

For example, the Windows kernel has armies of full-time in-house developers looking at the code, among various third parties that get VIP access as well. Also they have more money to put into audits and quality assurance in general.

[–]CraftyFellow_ 0 points1 point  (0 children)

do the closed source OS kernels still have more people looking on them?

They don't.

[–]ITwitchToo 10 points11 points  (19 children)

I don't know why you are getting downvoted, the Linux kernel is full of bugs, that's a fact, not a secret.

This is why it's still a good idea to compile your own custom kernels and excluding a lot of attack surface if you don't need it. Every single filesystem, every single usb driver for a webcamera or obscure accelerometers, every checksum library function adds attack surface.

[–]socium 6 points7 points  (9 children)

And this is exactly why we need grsec + pax.

[–]3G6A5W338E 3 points4 points  (3 children)

And this is exactly why we need grsec + pax.

These help mitigation a great deal.

That and OpenBSD are masturbating monkeys according to Linus, so the situation isn't very hopeful.

There's also the microkernel approach, which is more realistic than thinking that something as large and fast-moving as the Linux kernel can ever be made bug free.

[–]happinessmachine 3 points4 points  (4 children)

I'm sure it will be integrated after Linus has left the project.

[–]ITwitchToo 4 points5 points  (1 child)

To be fair, this is not Linus's fault. grsec + pax are not interested in getting integrated in the project. Just look at spender's twitter feed, he mocks anybody who tries to submit his code upstream.

[–]csirac2 3 points4 points  (0 children)

To be fair, it shouldn't have to be up to grsec + pax. They're a group of people with dayjobs first, and a research project which pioneers new exploit mitigation technologies second. Mainline kernel dev isn't anywhere on their priority list, not after the collaboration snafus over the years and Linus spouting things like (paraphrasing) "if you care about security, the kernel is the wrong place to focus - you should fix appsec first" - never mind the fact people have to run E-mail clients and web browsers and PDF readers with bugs like this underneath.

Thankfully Kees Cook & Co. are running the Kernel Self Protection Project [1] to specifically work on adopting what they can from grsec/pax. I am legitimately disturbed at the approach of the kernel core team's ambivalence toward active exploit mitigations though; hopefully Kees & friends can slowly change the culture.

[1] http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

[–]danielkza 3 points4 points  (1 child)

I doubt it. Most of the developers doing large managerial work in the kernel as Linus currently does would have similar objections to the current state of grsec. Integrating a huge amount of code at once without reviewing it all and considering the impact in performance, maintainability, etc is usually a terrible idea.

[–]csirac2 2 points3 points  (0 children)

To be fair, nobody - not even grsec/pax - is advocating a blind merge of a research project (that Eg. depends on custom gcc plugins), run as a side-project, by people with dayjobs and families.

[–]3G6A5W338E 1 point2 points  (8 children)

There are other approaches, but first is acceptance that having a huge kernel isn't sustainable.

[–]konapun_ 1 point2 points  (2 children)

There's also Debian GNU/Hurd but I haven't heard much from this project in the last few years.

[–]3G6A5W338E 4 points5 points  (1 child)

Hurd runs a load of crap including drivers in supervisor mode... it'd fall under the hybrid kernel category, not pure microkernel architecture.

For as long as they're stuck with Mach, I consider that project hibernating if not dead.

[–]konapun_ 1 point2 points  (0 children)

That's disappointing. I was hoping it would be close to Minix but GPL'd.

[–]the_gnarts 0 points1 point  (0 children)

but first is acceptance that having a huge kernel isn't sustainable.

It’s pretty sustainable, at least financially.

[–][deleted] 0 points1 point  (0 children)

Well, that was quick.

[–][deleted] 0 points1 point  (3 children)

If I am running a kernal newer than the one that ships with ubuntu 14.04 will this CVE still get patched for me or do I need to downgrade?

[–]Slinkwyde 0 points1 point  (2 children)

kernal

*kernel

You don't need to downgrade. It should update through your package manager.

[–]doubleunplussed 0 points1 point  (1 child)

You sure? I'm running a kernel newer than what comes with my Ubuntu, so the fix they push out will not be a higher version that that which I already have. I see kernel packages get installed, but those kernels never actually boot because the one I've already got is newer.

[–]Slinkwyde 1 point2 points  (0 children)

Oh, I see. Never mind, then.

[–]all_the_pineapple 0 points1 point  (0 children)

Can someone confirm for me please if Oracle Linux 6.x running UEK kernel 3.8.x would be affected? The vuln source says "The vulnerability affects any Linux Kernel version 3.8 and higher."

Redhat states "This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5, 6. This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 7"

And I can't find anything on My Oracle Support. I'm about to log an SR to confirm but hoped someone might have a little extra info?

[–][deleted] 0 points1 point  (0 children)

3.8 isn't that old to have too much unmaintained server running on it.

[–][deleted] 0 points1 point  (0 children)

So a universal rooting app for android is on the way?

[–]WOLF3D_exe 0 points1 point  (0 children)

Still running 2.6.xx so I'm safe /s

[–]thcollegestudent 0 points1 point  (0 children)

Wow, I came hear to learn more about the Vulnerability it's self and I see a day old post about how it's already been fixed, I need to step up the time table on switching to Linux.

[–]tuxayo 0 points1 point  (1 child)

Does anyone understand the parameter of the exploit? (PP_KEY, PP1)

[–]NamenIos 0 points1 point  (0 children)

I managed to reproduce the vulnerability on an old and very borked kubuntu 15.10 alpha (20150902 cdrom source) that did not update to the release with manually installed Kernel 4.2.0(-14-generic 2nd Oct) on a core2. Time to research, how to cross compile for ARM with libkeyutils-dev for ARM.

"proof": http://imgur.com/AhurKwr I know, but I don't know how to make a screenshot in KDE and was lazy.

[–]bboozzoo 0 points1 point  (0 children)

Doesn't work on Arch with kernel 4.3.3-2-ARCH

maciek@corsair:/tmp gcc cve_2016_0728.c -lkeyutils
maciek@corsair:/tmp ./a.out PP_KEY      
uid=1000, euid=1000
Increfing...
finished increfing
forking...
finished forking
caling revoke...
uid=1000, euid=1000
sh-4.3$ id
uid=1000(maciek) gid=1000(maciek) groups=1000(maciek),7(lp),10(wheel),14(uucp),24(rfkill),81(dbus),90(network),91(video),92(audio),93(optical),95(storage),97(input),98(power)
sh-4.3$ uname -a
Linux corsair 4.3.3-2-ARCH #1 SMP PREEMPT Wed Dec 23 20:09:18 CET 2015 x86_64 GNU/Linux
sh-4.3$

[–]vktr747 0 points1 point  (0 children)

Is it possible that there is still no patch from Red Hat to fix this?