Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
COW fixed in 4.1.35 longterm,but there is no ebuild [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 251
Location: Germany

PostPosted: Wed Oct 26, 2016 10:29 am    Post subject: COW fixed in 4.1.35 longterm,but there is no ebuild [SOLVED] Reply with quote

https://bugs.gentoo.org/show_bug.cgi?id=598076

4.1.35 is available for more than 24 hours now, but there is no ebuild for gentoo-sources.

Please help!


Last edited by Duncan Mac Leod on Fri Oct 28, 2016 3:42 pm; edited 1 time in total
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1571
Location: KUUSANKOSKI, Finland

PostPosted: Wed Oct 26, 2016 11:40 am    Post subject: Reply with quote

Interesting.
I thought it was already fixed in .34.
ChangeLog-4.1.35:
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Thu Oct 13 13:07:36 2016 -0700

    mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
   
    [ Upstream commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 ]
   
    This is an ancient bug that was actually attempted to be fixed once
    (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
    get_user_pages() race for write access") but that was then undone due to
    problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
   
    In the meantime, the s390 situation has long been fixed, and we can now
    fix it by checking the pte_dirty() bit properly (and do it better).  The
    s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
    software dirty bits") which made it into v3.9.  Earlier kernels will
    have to look at the page state itself.
... that confirms it.
And by looking changelogs of latest 4.4 (which is also LTS) it isn't been patched there either.
I use 4.7.10 (non-LTS) now which should have the patch, but I didn't saw markings in changelog... Maybe it's fixed in gentoo-sources...
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1571
Location: KUUSANKOSKI, Finland

PostPosted: Wed Oct 26, 2016 11:56 am    Post subject: Reply with quote

I think yours is patched against it with genpatch since you're using gentoo-sources.
You can test it. Here's how.
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1765

PostPosted: Wed Oct 26, 2016 9:16 pm    Post subject: Reply with quote

I checked the POC on my system running kernel x86_64-4.4.6-gentoo and it failed.
I'm not sure whether it's gentoo patch or simply pretty strict permissions (like 400 or something) set by gentoo on mem that stopped the exploit though :roll:
Either way... It failed. I guess it's good* :lol:

* Not that I was very worried with myself escalating permissions from user to root. Su provides the same functionality already
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14270

PostPosted: Thu Oct 27, 2016 1:22 am    Post subject: Reply with quote

v4.1.34 was released Oct 9, which puts it 4 days before Linus fixed the problem in tip. v4.7.9 provides the fix for the 4.7.x line. v4.4.6 is far too old to have it from upstream, but it is possible that a 4.4.6-rX could bring in the fix through the Gentoo extra patches.

Even on single user machines, this vulnerability is somewhat dangerous, since it allows any code-execution bug in any program on the machine to become a root-code-execution bug. Given the security record of certain software, in particular web browsers, I would be worried about running a browser on a system with an unpatched kernel.
Back to top
View user's profile Send private message
Apheus
Guru
Guru


Joined: 12 Jul 2008
Posts: 421

PostPosted: Thu Oct 27, 2016 8:47 am    Post subject: Reply with quote

Why care about 4.4.6? 4.4.26 fixes it in the 4.4 line: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.26
_________________
My phrenologist says I'm stupid.
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1571
Location: KUUSANKOSKI, Finland

PostPosted: Thu Oct 27, 2016 9:11 am    Post subject: Reply with quote

Hu wrote:
Given the security record of certain software, in particular web browsers, I would be worried about running a browser on a system with an unpatched kernel.
A web browser that has a Flash plug-in.
What could possibly go wrong?
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 251
Location: Germany

PostPosted: Thu Oct 27, 2016 12:37 pm    Post subject: Reply with quote

Hu wrote:
v4.1.34 was released Oct 9, which puts it 4 days before Linus fixed the problem in tip. v4.7.9 provides the fix for the 4.7.x line. v4.4.6 is far too old to have it from upstream, but it is possible that a 4.4.6-rX could bring in the fix through the Gentoo extra patches.

Even on single user machines, this vulnerability is somewhat dangerous, since it allows any code-execution bug in any program on the machine to become a root-code-execution bug. Given the security record of certain software, in particular web browsers, I would be worried about running a browser on a system with an unpatched kernel.


Is there any reason why security fixes are released so slow by Gentoo (short on developer resources?)?

4.1.x is a lonterm kernel, the fix (4.1.35) was released 4 days ago on kernel.org, but there is still no ebuild.

Another example: bind-9.10.4_p3 for x86 is still not marked stable and Gentoo security recommends to update to this version.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14270

PostPosted: Fri Oct 28, 2016 1:11 am    Post subject: Reply with quote

Zucca wrote:
Hu wrote:
Given the security record of certain software, in particular web browsers, I would be worried about running a browser on a system with an unpatched kernel.
A web browser that has a Flash plug-in.
What could possibly go wrong?
Indeed, Flash is a popular vector for gaining local code execution. Given some of the crazy things that are possible with modern Javascript, I would be worried even on Flash-free systems.
Duncan Mac Leod wrote:
Is there any reason why security fixes are released so slow by Gentoo (short on developer resources?)?

4.1.x is a lonterm kernel, the fix (4.1.35) was released 4 days ago on kernel.org, but there is still no ebuild.

Another example: bind-9.10.4_p3 for x86 is still not marked stable and Gentoo security recommends to update to this version.
I am sure there is a good reason, but I do not know it. I have seen comments for quite some time about how the x86 testing resources are much smaller than they once were, causing x86 to lag amd64. Your questions might be better addressed to one of the mailing lists, since some Gentoo developers do not read the forums. I know at least one gentoo-sources maintainer has posted in forum threads, but I do not know if he is likely to read this particular thread in order to see your question.
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2600

PostPosted: Fri Oct 28, 2016 3:08 am    Post subject: Reply with quote

Unless you are a glutton for punishment sticking with stable kernels seems to be the most sensible option. And, the stable kernels have cleaned up the COW.

As for browser security, I see no good reason not to block javascript and flash by default and enable them only one trusted sites as needed. It is amazing how much of the internet works without them. Even YouTube and Amazon.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1571
Location: KUUSANKOSKI, Finland

PostPosted: Fri Oct 28, 2016 9:55 am    Post subject: Reply with quote

This would indicate that all gentoo-sources have the patch that plugs the Dirty Cow's buttocks.
Am I right?
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 251
Location: Germany

PostPosted: Fri Oct 28, 2016 3:46 pm    Post subject: Reply with quote

Mike sent me an email today that 4.1.35 (incl. COW fix) is now in portage.

Just successfully compiled gentoo-sources-4.1.35, now up and running :D !

Thank you Mike! 8)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum