As reported today on Slashdot, in linux kernels prior to 2.4.23, it is possible to map the kernel into user space with brk(), since apparently no one ever bothered to check that the argument passed was in the lower 3 gig of the address space. This is almost as funny as early linux kernels in which the LDT was user writable. In any case, the patch is to stick the following check in do_brk() in /mm/mmap.c if ((addr + len) > TASK_SIZE || (addr + len) < addr) return -EINVAL; This is of course a serious bug, since anyone on a vulnerable machine has access to kernel memory by writing a terse no-brainer C program, of which I will not give an example, because enough people on the Internet hate me already. :) An interesting occurrence, because it demonstrates that massive numbers of open source participants auditing the code aren't sufficient to ferret out every giant coding blunder. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"
Eric Cordian wrote:
An interesting occurrence, because it demonstrates that massive numbers of open source participants auditing the code aren't sufficient to ferret out every giant coding blunder.
I've heard that argument before (last time I heard it was a problem with a PGP implementation) and I never understand what people are trying to prove when they say it. Are you saying that the Open Source model isn't as good as proprietary "we'll-fix-it-if-we-feel-like-it" models? Are you saying that Open Source isn't the promised land like you were... um, promised? Are you saying that Open Source model shouldn't be used for anything that concerns security? I honestly don't know what you're getting at. So Open Source is not a perfect solution. In its defense: - you had the opportunity to hire a team of 50 to examine the code - the solution was made known to you - you can reject this solution and write your own if you prefer none of which would have been true if this were proprietary code. There's so many good things about this model - it seems silly to argue that Open Souce doesn't live up to the unrealistic hype that the guys on Slashdot promised you. - Eric Tully
Eric Tully writes:
I've heard that argument before (last time I heard it was a problem with a PGP implementation) and I never understand what people are trying to prove when they say it.
Let me simplify. I found it startling that a Redmond-level bug was in a mature open-source project, the result of many years of hard work and evolution, deemed "Ready for the Enterprise." This isn't a slap at Open Source. It's just mild bemusement.
Are you saying that the Open Source model isn't as good as proprietary "we'll-fix-it-if-we-feel-like-it" models? Are you saying that Open Source isn't the promised land like you were... um, promised? Are you saying that Open Source model shouldn't be used for anything that concerns security? I honestly don't know what you're getting at.
Well, let's see. I think Open Source is better than the Closed Source proprietary "It's not a bug, it's a feature" model. I've never been promised anything by Open Source, so it's certainly not the second thing.. While I wouldn't say Open Source should not be used for secure code, there seems to be a bit of overconfidence in this area, particular in the lack of realization that Open Source clones of rock solid pieces of software like PGP and SSH are probably exploitable and buggy when they are first released. But all in all, I think Open Source is an excellent idea, as long as one does not have unrealistic expectations. I wouldn't use Open Source to run an artificial heart, but for most of the things it is used for, it is probably quite satisfactory.
So Open Source is not a perfect solution. In its defense:
- you had the opportunity to hire a team of 50 to examine the code - the solution was made known to you - you can reject this solution and write your own if you prefer
none of which would have been true if this were proprietary code.
Quite true.
There's so many good things about this model - it seems silly to argue that Open Souce doesn't live up to the unrealistic hype that the guys on Slashdot promised you.
I have not been promised anything by the "guys on Slashdot." I simply found the error amusing. Let's not get our blood pressure in an uproar simply because virtually every Linux system in the world was just discovered to have a user readable/writable kernel. It will be fixed, and life will move on. This is a dumb coding error. Not a referendum in the eyes of God on the worthiness of the Open Source movement. Chill. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"
At 1:09 AM -0800 12/2/03, Eric Cordian wrote:
As reported today on Slashdot, in linux kernels prior to 2.4.23, it is possible to map the kernel into user space with brk(), since apparently no one ever bothered to check that the argument passed was in the lower 3 gig of the address space.
Rule 1: When you audit code for security, be sure there is a complete check of all input parameters. Make at least one pass through the code where this is the only check you make. As can be seen by multiple problems of this type, it's easy to forget. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | "There's nothing so clear as a | Periwinkle (408)356-8506 | vague idea you haven't written | 16345 Englewood Ave www.pwpconsult.com | down yet." -- Dean Tribble | Los Gatos, CA 95032
On Tue, Dec 02, 2003 at 01:09:31AM -0800, Eric Cordian wrote:
An interesting occurrence, because it demonstrates that massive numbers of open source participants auditing the code aren't sufficient to ferret out every giant coding blunder. I don't know that I'd call it "auditing" exactly; to my knowledge, no audit as such has been undertaken with the kernel. That said, evidently, a pair of the "many eyes" did ferret this one out, about 9 weeks ago:
http://linux.bkbits.net:8080/linux-2.4/diffs/mm/mmap.c@1.32?nav=cset@1.1148.... Unfortunately, he did not see it as critical enough to throw out security alerts and make a new release right then, so anyone with untrusted local users was completely unprotected. Including Debian, apparently. Regards, petard
participants (4)
-
Bill Frantz -
Eric Cordian -
Eric Tully -
petard