LWN.net

Over on the Project Zero blog, Maddie Stone has a lengthy post about a zero-day exploit that was found and fixed in the Android Binder interprocess communication mechanism. The post details the search for the problem, which was apparently being used in the wild, its fix, and how it can be exploited. This is all part of an effort to "make zero-day hard"; one of the steps the project is taking is to disseminate more information on these bugs. "Complete detailed analysis of the 0-days from the point of view of bug hunters and exploit developers and share it back with the community. Transparency and collaboration are key. We want to share detailed root cause analysis to inform developers and defenders on how to prevent these types of bugs in the future and improve detection. We hope that by publishing details about the exploit and its methodology, this can inform threat intelligence and incident responders. Overall, we want to make information that’s often kept in silos accessible to all."

Fedora's Modularityinitiative has been no stranger to controversy since its inception in 2016. Among other things, therewere enough problems with the original design that Modularity went back to the drawing board in early 2018.Modularity has since been integrated with both the Fedora and Red HatEnterprise Linux (RHEL) distributions, but the controversy continues, withsome developers asking whether it's time for yet another redesign — or toabandon the idea altogether. Over the last month or so, several lengthy,detailed, and heated threads have explored this issue; read on for youreditor's attempt to integrate what was said.

Greg Kroah-Hartman has announced the release of the 5.3.12, 4.19.85, and 4.14.155 stable kernels. As usual, theycontain fixes throughout the kernel tree; users of those series should upgrade.

Security updates have been issued by Fedora (oniguruma and thunderbird-enigmail), openSUSE (chromium, ghostscript, and slurm), Oracle (kernel), Red Hat (kpatch-patch), Slackware (bind), SUSE (python-ecdsa), and Ubuntu (bind9 and mariadb).

The LWN.net Weekly Edition for November 21, 2019 is available.

The idea of stacking (or chaining) Linuxsecurity modules (LSMs) goes back 15 years (at least) at this point; progresshas definitely been made along the way, especially in the last decade or so. It has been possible tostack "minor" LSMs with one major LSM (e.g. SELinux, Smack, or AppArmor) forsome time, but mixing, say, SELinux and AppArmor in the same system has not been possible. Combining major security solutions may notseem like a truly important feature, but there is a use case where it ispretty clearly needed: containers. Longtime LSM stacker (and Smackmaintainer) Casey Schauflergave a presentation at the 2019Linux Security Summit Europe to report on the status and plans forallowing arbitrary LSM stacking.

Security updates have been issued by Debian (redmine), Fedora (libidn2), Mageia (clamav, ghostscript, kernel, kernel-linus, libexif, libjpeg, mariadb, microcode, and systemd), and openSUSE (libjpeg-turbo).

A key tenet in KVM is to reuse as much Linux infrastructure as possibleand focus specifically on processor virtualization. Back in 2007, thismeant a smaller code base and less friction with the other kernelsubsystems, especially when compared with other virtualization technologiessuch as Xen. This led to KVM being merged into the mainline with relativeease. A talk at this year's KVM Forum looks at ways to better protectguests, perhaps by moving away from that tenet.

SystemTap 4.2 is out. This release features "support for generatingbacktraces of different contexts; improved backtrace tapset to include filenames and line numbers; eBPF support extensions including raw tracepointaccess, prometheus exporter, procfs probes and improved loopingstructures".

The 13th KVMForum virtualization conference took place in Lyon, France in October2019. One might think that development may have finished on the KernelVirtual Machine (KVM) module that was merged in Linux 2.6.20 in 2007, butthis year's conference underscored the amount of work still being done,particularly on side-channel attack mitigation, I/O device assignment withVFIO and mdev, footprint reduction with micro virtual machines (VMs), andwith the ability to run VMs nested within VMs. Many talks also involved the virtual machinemonitor (VMM) user-space programs that use the KVM kernel module—of whichQEMU is the most widely used.

Security updates have been issued by Debian (python-psutil, slurm-llnl, symfony, and thunderbird), Fedora (gd and ghostscript), and SUSE (ceph, haproxy, java-11-openjdk, and ncurses).

The arm64 architecture is found at the core of many, if not most, mobiledevices; that means that arm64 devices are destined to be the target ofattackers worldwide. That has led to a high level of interest intechnologies that can harden these systems. There are currently severalsuch technologies, based in both hardware and software, that are beingreadied for the arm64 kernel; read on for a survey on what iscoming.

Stable kernels 4.9.202 and 4.4.202 have been released. They both containimportant fixes and users should upgrade.

Security updates have been issued by Debian (angular.js, libapache2-mod-auth-openidc, mosquitto, postgresql-common, and thunderbird), Fedora (chromium, djvulibre, freetds, ghostscript, java-1.8.0-openjdk-aarch32, samba, thunderbird-enigmail, wpa_supplicant, and xen), openSUSE (go1.12, ImageMagick, and ucode-intel), Oracle (ghostscript and kernel), Red Hat (libcomps and sudo), Slackware (kernel), SUSE (microcode_ctl, slurm, and ucode-intel), and Ubuntu (mysql-5.7, mysql-8.0 and python-ecdsa).

As expected, 5.4-rc8 was released onNovember 17 rather than the final 5.4 release."I'm not entirely sure we need an rc8, because last week was prettycalm despite the Intel hw workarounds landing. So I considered justmaking a final 5.4 and be done with it, but decided that there's noreal downside to just doing the rc8 after having a release cycle thattook a while to calm down."

One of the many responsibilities of the operating system is to helpprocesses keep secrets from each other. Operating systems often fail inthis regard, sometimes due to factors — such as hardware bugs and user-spacevulnerabilities — that are beyond their direct control. It is thusunsurprising that there is an increasing level of interest in ways toimprove the ability to keep data secret, perhaps even from the operatingsystem itself. The MAP_EXCLUSIVEpatch set from Mike Rapoport is one example of the work that is being donein this area; it also shows that the development community has not yetreally begun to figure out how this type of feature should work.

Security updates have been issued by CentOS (kernel), Debian (ghostscript, mesa, and postgresql-common), Fedora (chromium, php-robrichards-xmlseclibs, php-robrichards-xmlseclibs3, samba, scap-security-guide, and wpa_supplicant), Mageia (cpio, fribidi, libapreq2, python-numpy, webkit2, and zeromq), openSUSE (ImageMagick, kernel, libtomcrypt, qemu, ucode-intel, and xen), Oracle (kernel), Red Hat (ghostscript, kernel, and kernel-rt), Scientific Linux (ghostscript and kernel), SUSE (bash, enigmail, ghostscript, ImageMagick, kernel, libjpeg-turbo, openconnect, and squid), and Ubuntu (ghostscript, imagemagick, and postgresql-common).

Kees Cook catchesup with the security improvements in the 5.3 kernel."In recent exploits, one of the steps for making the attacker’s lifeeasier is to disable CPU protections like Supervisor Mode Access (andExecute) Prevention (SMAP and SMEP) by finding a way to write to CPUcontrol registers to disable these features. For example, CR4 controls SMAPand SMEP, where disabling those would let an attacker access and executeuserspace memory from kernel code again, opening up the attack to muchgreater flexibility. CR0 controls Write Protect (WP), which when disabledwould allow an attacker to write to read-only memory like the kernel codeitself. Attacks have been using the kernel’s CR4 and CR0 writing functionsto make these changes (since it’s easier to gain that level of executecontrol), but now the kernel will attempt to 'pin' sensitive bits in CR4and CR0 to avoid them getting disabled. This forces attacks to do more workto enact such register changes going forward."

The Yocto Project recentlyannounced its 3.0 release, maintaining the spring/fall cadence it has followed for thepast nine years. As well as the expected updates, it contains new thinking ongetting the best of two worlds: source builds and prebuilt binaries. Thisfits well into a landscape where reproducibility and software traceability,all the way through to device updates, are increasingly important to handlecomplex security issues.

Security updates have been issued by Arch Linux (kernel, linux-lts, and linux-zen), CentOS (kernel, sudo, and thunderbird), Debian (linux-4.9), Fedora (samba), openSUSE (apache2-mod_auth_openidc, kernel, qemu, rsyslog, and ucode-intel), Oracle (kernel), Red Hat (kernel and kernel-rt), Scientific Linux (kernel), SUSE (kernel and microcode_ctl), and Ubuntu (kernel, libjpeg-turbo, linux, linux-hwe, linux-oem, linux, linux-hwe, linux-oem-osp1, and qemu).

The LWN.net Weekly Edition for November 14, 2019 is available.

Digging into the email that provides the cornerstone of Linux kerneldevelopment is an endeavor that has become more popular over the last fewyears. There are some practical reasons for analyzing thekernel mailing lists and for correlating that information with the patchesthat actually reach the mainline, including tracking the path thatpatches take—or don't take. Three researchers reported on some effortsthey have made on kernel email analysis at the 2019Embedded Linux Conference Europe (ELCE), held in late October in Lyon, France.

The Bytecode Alliance is anindustry partnership with the aim of forging WebAssembly’s outside-the-browserfuture by collaborating on implementing standards and proposing newones. The newlyformed alliance has "a vision of a WebAssembly ecosystem that issecure by default, fixing cracks in today’s softwarefoundations". The alliance is currently working on a standaloneWebAssembly runtime, two use-case specific runtimes, runtime components,and language tooling.

This year saw the second edition of the AutomatedTesting Summit (ATS) and the first that was open to all. Last year's ATS was an invitation-onlygathering of around 35 developers (that was described in an LWN article),while this year's event attractedaround 50 attendees; both were held in conjunction with theEmbedded Linux Conference Europe (ELCE), in Edinburgh, Scotland for 2018and in Lyon, France this year. The basic problem has not changed—morecollaboration is needed between the different kernel testing systems—butthe starting points have been identified and work is progressing, albeitslowly. Part of the problem, of course, is that all of these testingefforts have their own constituencies and customers, who must be kept upand running, even while any of this collaborative development is going on.

Security updates have been issued by Debian (dpdk, intel-microcode, kernel, libssh2, qemu, and webkit2gtk), Fedora (apache-commons-beanutils, bluez, iwd, kernel, kernel-headers, kernel-tools, libell, and microcode_ctl), openSUSE (gdb), Oracle (kernel), Red Hat (kernel and kernel-rt), SUSE (dhcp, evolution, kernel, libcaca, python, python-xdg, qemu, sysstat, ucode-intel, and xen), and Ubuntu (dpdk, intel-microcode, kernel, linux, linux-aws, linux-kvm, linux, linux-lts-trusty, linux-azure, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-kvm, linux-oem-osp1, linux-oracle, linux-raspi2, linux-lts-xenial, linux-aws, linux-raspi2, and webkit2gtk).

A set of patches has just been pushed into the mainline repository (andstable updates) for yetanother set of hardware vulnerabilities. "TSX async abort" (or TAA)exposes information through the usual side channels by way of internalbuffers used with the transactional memory (TSX) instructions. Mitigationis done by disabling TSX or by clearing the relevant buffers when switchingbetween kernel and user mode. Given that this is not the first problemwith TSX, disabling it entirely is recommended; a microcode update may beneeded to do so, though. This commit containsdocumentation on this vulnerability and its mitigation.There are also fixes for another vulnerability:it seems that accessing a memory address immediately after the size of thepage containing it was changed (from a regular to a huge page, forexample) can cause the processor to lock up. This behavior is consideredundesirable by many. The vulnerability onlyexists for pages marked as executable; the mitigation is to force allexecutable pages to be the regular, 4K page size.

Stable kernels 5.3.11, 4.19.84, 4.14.154, 4.9.201, and 4.4.201 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Fedora (community-mysql, crun, java-latest-openjdk, and mupdf), openSUSE (libssh2_org), and SUSE (go1.12, libseccomp, and tar).

Many community-based Linux distributions have made the decision to switchto systemd, and most of those decisions were accompanied by lengthy,sometimes acrimonious mailing-list discussions. No distribution had aharder time of it than Debian, though, where arguments raged through muchof 2013 before the Debian Technical Committee decided on systemd in early 2014. Thereafter,it is fair to say,appetite for renewing the init-system discussion has been low. Now,though, the topic has returned to the fore andit would appear that the project is heading toward a new generalresolution to decide at what level init systems other than systemd shouldbe supported.

The Free Software Foundation's Respects Your Freedom program provides acertification for hardware that supports your freedom. A new website listing certified products has beenlaunched. "In 2012, when we announced the first certification,we hosted information about the program and retailers as a simple page onthe Free Software Foundation (FSF) Web site. With only one retailer sellingone device, this was certainly satisfactory. As the program grew, we addedeach new device chronologically to that page, highlighting the newestcertifications. We are now in a place where eight different retailers havegained nearly fifty certifications [...]. With so many devices available, across so many different device categories, it was getting more difficult for users to find what they were looking for in just a plain chronological list."

Stable kernels 5.3.10, 4.19.83, 4.14.153, 4.9.200, and 4.4.200 have been released.They all contain important fixes and users should upgrade.

Security updates have been issued by Debian (ampache, chromium, djvulibre, firefox-esr, gdal, and ruby-haml), Fedora (chromium, file, gd, hostapd, nspr, and rssh), openSUSE (bcm20702a1-firmware, firefox, gdal, libtomcrypt, php7, python-ecdsa, python3, samba, and thunderbird), SUSE (apache2-mod_auth_openidc, libssh2_org, and rsyslog), and Ubuntu (bash).

The seventh 5.4 prepatch is out fortesting. "Nothing looks _bad_, but there is too much of it.So I'm leaning towards an rc8 being likely next weekend due to that,but I won't make a final decision yet. We'll see."

Operating systems and computing hardware both carry a lot of their historywith them. The x86 I/O-port mechanism is one piece of that history; it israrely used by hardware designed in the last 20 years, but it muststill be supported. That doesn't mean that this support can't be cleanedup and improved, though, especially when the old implementation turns outto have some unpleasant properties. An example can be seen in theiopl() patch set from Thomas Gleixner.

The openSUSE project has been considering aname change as part of its move into a separate foundation since (atleast) June. A long and somewhat controversial vote of project members hasjust come to an end, and the result is conclusive: 225-42 against the namechange.

Security updates have been issued by Arch Linux (linux-hardened), Debian (fribidi), Gentoo (oniguruma, openssh/openssh, openssl, and pump), Mageia (chromium-browser-stable, expat, firefox, freetds, proftpd, python, thunderbird, and unbound), Oracle (sudo), Scientific Linux (thunderbird), Slackware (kernel), SUSE (rubygem-haml), and Ubuntu (fribidi and webkit2gtk).

As of this writing, just over 14,000 non-merge changesets have found theirway into the mainline repository for the 5.4 release; that is a bit lessthan we saw for 5.3, but more than most of the other recent kernels. Thefinal 5.4 release is approaching, so it must be time for our usual look atwhere the code merged in this development cycle came from. It's mostlybusiness as usual in the kernel community, modulo an appearance from noneother than Hulk Robot.

Security updates have been issued by Arch Linux (squid), Fedora (chromium, libssh2, and wpa_supplicant), openSUSE (chromium), Red Hat (ansible, chromium-browser, openstack-octavia, patch, qemu-kvm-rhev, sudo, and thunderbird), Scientific Linux (sudo), SUSE (bluez, gdb, php72, and thunderbird), and Ubuntu (cpio and rygel).

Version1.39.0 of the Rust language is available. The biggest new featureappears to be the async/await mechanism, which is described in thisblog post: "So, what is async await? Async-await is a way towrite functions that can 'pause', return control to the runtime, and thenpick up from where they left off. Typically those pauses are to wait forI/O, but there can be any number of uses."

The LWN.net Weekly Edition for November 7, 2019 is available.

Running untrusted code in a safe manner is generally the goal of sandboxingefforts. The sandbox technique presented by Georgia Tech PhD studentAshish Bijlani at Open Source Summit Europe 2019 is no exception. He has used something of a novelscheme to allow unprivileged code to implement the sandbox policies usingBPF; the policies are then enforced by the kernel.

At OpenSource Summit Europe 2019, Michael C. Jaeger and Maximilian Huberupdated attendees on the FOSSologyproject, which is an open-source license-compliance tool. Theyintroduced FOSSology and talked about how it can be used, but they alsolooked at the new features added in the last few releases. Beyond that,they presented some experiments the project has been doing with creatingmachine-learning models for license recognition.

Stable kernels 5.3.9, 4.19.82, 4.14.152, 4.9.199, and 4.4.199 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (cpio, openafs, proftpd-dfsg, simplesamlphp, and wordpress), Fedora (thunderbird), openSUSE (binutils, docker-runc, kernel, nfs-utils, php7, python3, and samba), Red Hat (389-ds:1.4, ansible, bind, container-tools:1.0, container-tools:rhel8, curl, dbus, dhcp, dovecot, edk2, elfutils, evolution, freeradius:3.0, gdb, gettext, glib2, glibc, GNOME, gnutls, go-toolset:rhel8, http-parser, httpd:2.4, kernel, kernel-rt, libarchive, libjpeg-turbo, libqb, libreswan, libseccomp, libtiff, libvorbis, lldpad, lua, mariadb:10.3, mod_auth_mellon, numpy, openssh, openssl, openstack-octavia, osinfo-db and libosinfo, php:7.2, php:7.3, python-urllib3, python27:2.7, python3, qemu-kvm-rhev, qt5-qtbase, rh-php70-php, rh-python36-python, samba, squid:4, sssd, sudo, systemd, virt-manager, virt:rhel, and yum), SUSE (ardana-ansible, ardana-horizon, ardana-keystone, ardana-manila, ardana-neutron, crowbar-core, crowbar-openstack, grafana, openstack-cinder, openstack-dashboard, openstack-horizon-plugin-manila-ui, openstack-keystone, openstack-manila, openstack-neutron, openstack-neutron-fwaas, openstack-neutron-lbaas, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, pdns, python-Django1, python-keystonemiddleware, python-octaviaclient, python-os-brick, python-oslo.cache, python-oslo.messaging, gdb, and libssh2_org), and Ubuntu (firefox).

Linux systems have traditionally run with a single address space thatis shared by user and kernel space. That changed with the advent of theMeltdown vulnerability, which forced the merging of kernel page-table isolation (KPTI) at the end of2017. But, Mike Rapoport said during his 2019Open Source Summit Europe talk, that may not be the end of the story for address-space isolation.There is a good case to be made for increasing the separation of addressspaces, but implementing that may require some fundamental changes in howkernel memory management works.

Red Hat has announcedthe release of Red Hat Enterprise Linux 8.1. This is the first updatein what is planned to be a 6 month cadence for minor releases. The releasenotes contain more information.

Git 2.24 has been released. This blogpost covers the highlights of this release, beginning with featuremacros. "Usually, configuring some behavior requires only a single configuration change, like enabling or disabling any of the aforementioned values. But what about when it doesn’t? What do you do when you don’t know which configuration values to change? For example, let’s say you want to live on the bleeding-edge of the latest from upstream Git, but don’t have a chance to discover all the new configurable options. In Git 2.24, you can now opt into feature macros—one Git configuration that implies many others. These are hand-selected by the developers of Git, and they let you opt into a certain feature or adopt a handful of settings based on the characteristics of your repository."

Security updates have been issued by Arch Linux (electron, ghostscript, glibc, python2, and samba), Debian (webkit2gtk), Slackware (libtiff), SUSE (ImageMagick, python-ecdsa, and samba), and Ubuntu (apport, haproxy, ruby-nokogiri, and whoopsie).

The stable kernel releases are meant to contain as many important fixes aspossible; to that end, the stable maintainers have been making use of a machine-learning system to identify patches that should be considered for astable update. This exercise has had some success but, at the 2019 OpenSource Summit Europe, Sasha Levin asked whether this process could beimproved further. Might it be possible for a machine-learning system toidentify patches that create bugs and intercept them, so that thefixes never become necessary?

Security updates have been issued by Arch Linux (chromium and qt5-webengine), CentOS (firefox and php), Fedora (file, java-latest-openjdk, nspr, nss, php, t1utils, and webkit2gtk3), Mageia (ansible, aspell, golang, libsoup, and libxslt), openSUSE (chromium and chromium, re2), Oracle (php), and Ubuntu (apport and file).