Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: The story of the Linux kernel 3.x...
From: Adam Zabrocki <pi3 () pi3 com pl>
Date: Thu, 17 May 2012 20:56:54 +0200

Dnia 2012-05-17, czw o godzinie 10:32 -0400, valdis.kletnieks () vt edu
pisze:
On Wed, 16 May 2012 23:49:40 +0200, Adam Zabrocki said:

so the latest update has this fix but still official ISO has old kernel. Fix was applied
in March/April. So again _sock kernels_ have/had so simple mistake ;)

You're assuming it's a *mistake* rather than something intentional.

Remember that the distro does *not* know what you run on the kernel, so they
need to build one that covers all the bases.  So they really need to make a
choice.  Which is going to result in more nasty phone calls and e-mails:
leaving COMPAT_VDSO set (which is probably the 12,934th most security crucial
security setting in a distro), or turn it off and *know* this will break
certain older binaries?

Remember that if you're a distro with a million users, even if only 0.1% of
them still have old binaries, you just borked 1,000 user's machines.  Now
compare that number to the number that will get hacked if you leave COMPAT_VDSO
on (remember that the *only* thing it stops is exploits that hard-code certain
addresses)

Sorry I can not agree with you. Suse 12.1 is very new/fresh distribution
so I don't see any point of delivering "old" binaries with new system.
Still there is an open question about 3rd party vendors applications.

But if you look carefully for our discussion you will realize that other
systems do not have problem with that so you are suggesting that only
Suse don't have problems with clients? Additionally Suse provided in
March/April patch for this issue which I pointed out in my previous
posts and you can find patch and discussion about that on Suse kernel
developers list:
http://lists.opensuse.org/opensuse-kernel/2012-03/msg00056.html

Additionally Marcus Meissner from the Suse team wrote interesting
sentence about problem with 'old' binaries:

"Nobody can actually point to an application that breaks."
and "openSUSE 12.2 will have it disabled."



Because many people are confused about this whole discussion I want to
summarize:

Suse 12.1 - by default has problem with mapping VDSO at fixed address
(kernel compiled with enabled CONFIG_COMPAT_VDSO option) - both x86 and
amd64 architectures. The newest kernel package has fix (March/April) for
this problem.

Ubuntu and other 64 bits systems allocate VSYSCALL at fixed memory
address but this is known issue which I didn't realize so my mistake for
confusing. More information about this case can be found here:

https://lkml.org/lkml/2011/8/9/274


Best regards,
Adam Zabrocki



Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault