oss-sec mailing list archives
Re: Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7)
From: Brad Spengler <spender () grsecurity net>
Date: Fri, 14 Dec 2018 08:27:24 -0500
I really wish such statistics would stop being cited as evidence of anything, since the ingrained bias of CVE allocation (which is generally not done by upstream itself, and is instead mostly done by the distros for issues that affect their older kernels) inherently changes the range of conclusions that can be reached. These statistics and the "5 year lifetime" of Linux kernel bugs are simply myths. The original "5 year lifetime" analysis was wrong from the start and already pointed out back then (https://lwn.net/Articles/410674/), but people continue to cite it. Garbage in, garbage out -- can we please stop feeding this pseudo-science? -Brad On Fri, Dec 14, 2018 at 02:07:55PM +0100, Solar Designer wrote:
On Thu, Dec 13, 2018 at 09:02:12PM +0100, Yves-Alexis Perez wrote:On Wed, 2018-12-12 at 15:24 +0100, Solar Designer wrote:A question to ask may be: out of Linux kernel vulnerabilities being patched, are there more high and critical overall severity (e.g., as risk impact times risk probability) vulnerabilities found in "too recent" kernels than there are high and critical severity untracked vulnerabilities (also or instead) affecting "sufficiently old" kernels?Data collected by Kees and regularly updated might help here. See https://events.linuxfoundation.org/wp-content/uploads/2017/12/Overview-and-Recent-Developments-Kernel-Self-Protection-Project_Kees-Cook.pdf#%5B%7B%22num%22%3A22%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C0%2C446.4%2C0%5D for the last edition (sorry for the weird anchor, in case it breaks it's on slide 5)Thanks! Slide 4 says average lifetime among 3 critical issues is 5.3 years, and among 79 high severity issues is 5.6 years. (And then there's over a thousand of medium and low severity issues. Ouch.) However, to answer my question above we need median and not average. For example, (1, 2, 3, 16) has an average of 5.5 years, but in that example by choosing a kernel version that is 2.5 years old, which is way below the average, we'd nevertheless avoid half of the issues. Slide 5 is in fact more relevant: it's an illustration showing "critical & high CVE lifetimes" against kernel versions. Per this illustration, we can see that my example of 3.10 (as RHEL7's base kernel) is hit by many low-numbered issues, but is hit by only two in the 67 to 82 range, which is 1/8 or 12.5% of issues found that recently. This is consistent with what I said about it having needed to mature "for a few years and a few hundred revisions" after RHEL7 was first released. I think it became mature enough just recently. It didn't feel mature enough to me when I ran Trinity for a few days (with many restarts) on a RHEL7-derived system two years ago. I hope those crashes have since been rediscovered with superior fuzzers allowing for easy reproduction, and patched. We've seen major improvement in fuzzing. Somehow Nicholas' reply below isn't part of the same thread (no proper In-Reply-To header), so let me bring it to the thread: https://www.openwall.com/lists/oss-security/2018/12/13/14 On Thu, Dec 13, 2018 at 06:07:32PM -0500, Nicholas Luedtke wrote:We have also been compiling and presenting the CVEs on a per stream basis at https://www.linuxkernelcves.com because the question of which upstream stable branch to choose has been asked on a enterprise level many times. Of course, once you choose once you still have to track the changes (or lack there of).This is also very interesting and relevant. As the website (and GitHub README.md) acknowledges: "This is currently autogenerated and will go through testing before any promises of accuracy are made. The eventual goal would be to have a community curated list of CVEs along with when the code was introduced and when it was fixed." Alexander
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7) Jann Horn (Dec 12)
- Re: Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7) Solar Designer (Dec 12)
- Re: Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7) Greg KH (Dec 13)
- Re: Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7) Yves-Alexis Perez (Dec 13)
- Re: Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7) Solar Designer (Dec 14)
- Re: Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7) Solar Designer (Dec 14)
- Re: Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7) Brad Spengler (Dec 14)
- Re: Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7) Solar Designer (Dec 14)
- Re: Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7) Solar Designer (Dec 12)
- Re: Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7) Jann Horn (Dec 14)