Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability

Theo wrote:

> For the record, this particular problem was resolved in OpenBSD a
while back, in 2008.

Nice, but:

"Since 2.6.23, it has been possible to prevent applications from
mapping low pages (to prevent null pointer dereferencing in the
kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the
minimum address allowed for such mappings."

2.6.23 released:  Tue, 9 Oct 2007

Ref:
http://lkml.org/lkml/2007/10/9/241
http://james-morris.livejournal.com/26303.html

--
JS

On Wed, Nov 04, 2009 at 03:45:33PM +0100, Justin Smith wrote:

Optional prevention is not worth a lot.

        -Otto

Penned by Justin Smith on 20091104 15:45.33, we have:
| Theo wrote:
|
| > For the record, this particular problem was resolved in OpenBSD a
| while back, in 2008.
|
| Nice, but:
|
| "Since 2.6.23, it has been possible to prevent applications from
| mapping low pages (to prevent null pointer dereferencing in the
| kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the
| minimum address allowed for such mappings."
|
| 2.6.23 released:  Tue, 9 Oct 2007
|
| Ref:
| http://lkml.org/lkml/2007/10/9/241
| http://james-morris.livejournal.com/26303.html
|
| --
| JS

And now we get into the fun stuff.

Ever heard of 'secure by default' ?

This knob is set to '0' by default.

How many Linux installations actually read the above paragraph, understood
what value it could have to set to something other than zero, and changed
it accordingly.

'Nuff said.
--
Todd Fries .. todd@...

 _____________________________________________
|                                             \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                 \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com             \  1.866.792.3418 (FAX)
| "..in support of free software solutions."  \  sip:freedaemon@...
|                                             \  sip:4052279094@...
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Otto Moerbeek wrote:

not exactly on topic but Pope Benedict XVI would likely agree with otto.

see, even the pope doesn't like linus.

And that knob was turned off.

On Wed, Nov 4, 2009 at 4:14 PM, Todd T. Fries <todd@...> wrote:

"By default, Ubuntu 8.04 and later with a non-zero
/proc/sys/vm/mmap_min_addr setting were not vulnerable."

Ubuntu 8.04 released in 2008 april.


--
JS

On Wed, Nov 4, 2009 at 10:55 AM, Justin Smith <odnomzagi@...> wrote:
> "By default, Ubuntu 8.04 and later with a non-zero
> /proc/sys/vm/mmap_min_addr setting were not vulnerable."
>
> Ubuntu 8.04 released in 2008 april.

Ubuntu 8 also ships with a setuid pulseaudio by default, which renders
the mmap_min_addr protection useless.

On Wed, Nov 4, 2009 at 5:54 PM, Theo de Raadt <deraadt@...>
wrote:
Actually no it was turned on.

Fedora 8 was released in Nov 2007 and to run certain Wine applications
as non-root you had to disable the vm.mmap_min_addr sysctl.
    By default it was set to a value of 65536 and you had to change this to
0.

This is well documented all over the Wine forums.
    I know because this drove me up the bend when they introduced this patch.


--
"Opportunity is most often missed by people because it is dressed in
overalls and looks like work."
    Thomas Alva Edison
    Inventor of 1093 patents, including:
        The light bulb, phonogram and motion pictures.

On Wed, Nov 04, 2009 at 04:55:58PM +0100, Justin Smith wrote:
And if you install something like wine, the knob is set back to 0,
probably without any notice (at least in ubuntu-8.10). You don't
even have to run it, just installing it is enough, if I understand
the mechanism correctly.

But more important is the fact that the original kernel sources
have the knob set to 0 by default.

Ciao,
        Kili

On Wed, Nov 04, 2009 at 04:55:58PM +0100, Justin Smith wrote:
quote from the article in the subject:

  The latest bug is mitigated by default on most Linux distributions,
  thanks to their correct implementation of the mmap_min_addr feature.
  But to make RHEL compatible with a larger body of applications, that
  distribution is vulnerable to attack even when the OS shows the
  feature is enabled, Spengler said.

so, on RedHat, one can't even turn it on?  doesn't Linus work for RedHat?

--
jakemsr@...
SDF Public Access UNIX System - http://sdf.lonestar.org

And it is totally on on *all* 90239490234873984 distros right?

On Wed, Nov 04, 2009 at 06:43:14PM +0200, Ross Cameron wrote:

Matthias Kilian wrote:
> And if you install something like wine, the knob is set back to 0,
> probably without any notice (at least in ubuntu-8.10).

That can explain why it's off on my system (karmic koala).

By the way, this is from the debian wiki:

Debian 5.0.3 ships with a default mmap_min_addr of '0'. This means that
the Debian system, by default, is susceptible to these NULL-pointer
privilege escalation techniques. Unless you know that you have
applications that require this functionality, it is recommended that you
increase the value of mmap_min_addr on your system.

Off by default.

Ross Cameron wrote:
> Actually no it was turned on.

This is from the commit to the Linux kernel:

"The amount of space protected is indicated by the new proc tunable
proc/sys/vm/mmap_min_addr and defaults to 0, preserving existing behavior."

It was turned off, 0 means no protection.

Tom Van Looy wrote:
Unless you aren't running shit-for-architecture x86 systems still.
It is 2009 and there are sparc, mips, freescale and arm on the market.
I know the reason x86 is still around, and it's not anything to do with
technical merits or price.  (Yeah, I still have some too, but not all
machines and certainly not through lack of effort.)

If I understand the bug correctly, the design failure in Windows seems
to be so fundamental that the system appears to be dependent on this
backdoor and that the flaw is so fundamental that even independent
re-implementations of the Windows API are dependent on this backdoor.
How much of a symbiosis is there between the hardware and software
components of the Wintel monopoly in failures like the one linked to in
the original post?

/Lars

Lars Nooden wrote:
See this discussion on the Wine Devel mailing list:

http://thread.gmane.org/gmane.comp.emulators.wine.devel/73671

- Salva

Lars Nooden wrote:
> If I understand the bug correctly, the design failure in Windows seems
> to be so fundamental that the system appears to be dependent on this
> backdoor and that the flaw is so fundamental that even independent
> re-implementations of the Windows API are dependent on this backdoor.
> How much of a symbiosis is there between the hardware and software
> components of the Wintel monopoly in failures like the one linked to in
> the original post?

Apparently Bill Gates *never* said "640K is Enough For Anyone" (see
http://www.wired.com/politics/law/news/1997/01/1484)... But this
NULL-pointer "feature" beats the "640K is Enough For Anyone".

At least in my (non-technical) eyes :D

--
Mauro Rezzonico <mauro@...>, Como, Italia
"Maybe this world is another planet's hell" - H.Huxley

2009/11/5 Justin Smith <odnomzagi@...>:

> "By default, Ubuntu 8.04 and later with a non-zero
> /proc/sys/vm/mmap_min_addr setting were not vulnerable."
>
> Ubuntu 8.04 released in 2008 april.


They've moved on from this then...

http://ubuntuforums.org/showthread.php?t=143334

Hi,

On Fri, 06.11.2009 at 13:41:13 +0200, Lars Nooden <lars.curator@...> wrote:
> Unless you aren't running shit-for-architecture x86 systems still.
> It is 2009 and there are sparc, mips, freescale and arm on the market.

now you only need to educate "us" about how such machines can be used
in an economic fashion.

Blaming people for not running PDA cpus for core routers or not
shelling out $40k for Niagara machines (supported by OpenBSD???) when
these are even outperformed by $4k PCs in almost all practical
scenarios, just doesn't cut it. Much less so if you take the rest of
the "supply chain" into account.

It's not like I was in love with x86/amd64, but it's *really*hard* to
go for something else.


Kind regards,
--Toni++

Toni Mueller wrote:
Further to this, if anyone is aware of any non-x86/x64 machines which
are of similar bang-for-buck as off-the-shelf PCs, I for one would be
*very* interested to know about them.

An ARM laptop would be especially win :-)

Dave W

Then here it is http://www.alwaysinnovating.com/touchbook/

On Sun, Nov 8, 2009 at 7:17 PM, Dave Wilson <richard.wilson@...> wrote: