KERNEL SECURITY BUG: NULL pointer dereference in proto_ops

[jonathanross]

Hello,

I see this is noted on the packages site for Gentoo Sources http://packages.gentoo.org/package/sys-kernel/gentoo-sources for the NULL pointer dereference due to incorrect proto_ops initializations bug but it's been there since yesterday.

[pappy_mcfae]

It's in portage as of the time of this post.

Blessed be!
Pappy
_________________
This space left intentionally blank, except for these ASCII symbols.

[jonathanross]

Hi Pappy !

Thanks for responding.

Which sync Server are you using ? I've tried rsync.us. rsync.namerica. rsync.europe. etc.

I still see:

[Akkara]

It is there. It is just marked ~. So you need to keyword it if you are running stable.

[jonathanross]

Ahh, okay. Sorry for being a noob.

If it's unstable should I avoid it for production boxes ?

I thought it was just a small change to fix this bug so I'm not sure why it's marked unstable.

EDIT: Just found this doc: http://learn.clemsonlinux.org/wiki/Gentoo:Masked_ebuilds

Many thanks !

JR

[Akkara]

I'm not sure why it is unstable. Maybe they want to test it a day or two just to be sure. Could be a small thing, such as making sure the patch has been copied over to the mirrors, trivial stuff that most likely is correct, but in the rare case that it isn't, doesn't cause screams of surprise. (Total guesses, there.)

Since this is a pretty important one, in case you (or someone else reading this thread) isn't aware, it is possible to keyword a specific instance of a package. So you can use that one without later on having it upgrade every time another unstable kernel is released:

[jonathanross]

Thanks very much, Akkara !

You have been most helpful.

[jak137]

What about 2.6.27 series? Do I have to upgrade to 2.6.30 or are there available (or are going to be) patched sources for earlier versions?

[cach0rr0]

[Bircoph]

[jonathanross]

That could save the day but the release from the guys that discovered it said that it "may" be a workaround if I remember correctly.

[monsm]

Good thing I saw this thread, was about to update the kernel. Thanks guys.

I was under the impression that this Null Pointer problem got discovered and fixed in the release candidate stage. Am I wrong or is this a second similar bug? I think I saw something elsewhere about it.

Mons

[jonathanross]

Here's as 'official' as I can find:

http://www.cr0.org/misc/CVE-2009-2692.txt

[cach0rr0]

ah yes, now i remember where I got that info

looking at the exploit code comments:

[mikegpitt]

It looks like it is still marked ~arch as of 8/18. I'm sure it's just related to some extra testing. Although the vuln is critical, it is also local, so I am personally waiting until the devs mark it stable in case there is other breakage in -r5.

[cach0rr0]

local indeed, though the thought of a remote file inclusion vuln in another app allowing this to be run even as the apache user == your box is rooted, you're fairly screwed.

I guess not really an issue if the rest of your remotely-exposed applications/daemons are tightened down as they should be
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash

[jonathanross]

I opted to go for the unstable kernel on a few production boxes in the end. With one left unpatched which needs a maintenance window.

Both SPARC64 and x86 boxes seem to be behaving well a few days in.

Although there's only a few daemons listening and everything is patched you never when that zero day bug might appear.

JR

[cach0rr0]

So the one item I'm not completely clear on - whether or not this affects hardened sources with the usual round of PaX (and well, grsec, but that's irrelevant here) options selected

I'm running 2.6.28-r9 with the 'hardened server' profile selected; but say I was on a branch that included the vulnerable code, would the hardened patches nullify the risk?
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash

[jonathanross]

I'm not qualified to answer I'm afraid

Some of the chatter online has smirked at the extra kernel security actually being hit worse than standard builds and this is all I've seen 'officially' from my post above:

[mikegpitt]

Actually in retrospect, I think I'm going to unmask -r5 and update today (since I have some time). I think it is very likely that the devs will be marking this one stable soon. If any issues to arise out of the version bump I think they would be reflected in a -r6 since -r5 is already in portage. Basically, if you unmask today and see that it goes stable in another day or two it shouldn't cause any negative issues.

[jonathanross]

That was my theory too.

That said, it was committed on Friday to Portage (which was a great response to the bug being announced) so it's already a few days but as I said we've still to see any instability issues on SPARC64 or x86 (formerly running 2.6.29 kernels).

I would hope it's just some testing that needs to be completed too. I can do the maintenance window box's upgrade once it's stable.

JR

[krinn]

what a mess!

I prefer own a server with an unstable secure kernel, than a stable hackable one !

i could still reboot an unstable server for a min downtimes, what will we do if our root password is change, config... deleted.... BIG downtime !

[jonathanross]

I'm with you on that !!

[pappy_mcfae]

According to one of the above posted articles, this issue does have a fix, and has been summarily fixed in all versions (.27 and .30) released since that issue was discovered. So, once again, it seems it's time to do a bit of fixing. Since I run .29 on this machine, I guess that means me. hehehe

Blessed be!
Pappy
_________________
This space left intentionally blank, except for these ASCII symbols.

[krinn]

but i read from the guy that found the hole that 32bits grsec+pax shoudn't be affect. (don't ask me why)