Fixing Linux

Everything has security problems, even Linux. An old and obscure problem with the gcc compiler was recently discovered to have left a security hole in essentially every version of Linux that anyone is likely to be running. Here's what you need to know about fixing it.

The problem itself was discovered by Brad Spengler, the hacker behind the open-source network and server security program, grsecurity. What he found was that in some network code, there was a procedure that included a variable that could be set to NULL (no value at all). Now, this didn't appear to be a problem because the programmer also included a test which would return an error-message if the variable turned out to have a NULL value.

So far, so good. Unfortunately, the gcc code optimizer on finding that a variable has been assigned a NULL value removed the test! This left a hole, that didn't exist in the original program. Using this hole, and code provided by Spengler, any cracker with sufficient access to a Linux computer could get into the computer's memory and, from there, get into all kinds of mischief. For more on the down and dirty technical details, turn to Jonathan Corbet's story, "Fun with NULL Pointers."

That was bad. But, then Google Security Team members Tavis Ormandy and Julien Tiennes discovered that this kind of problem existed in numerous, network protocol programs. To be exact, the problem exists in implementations of AppleTalk, IPX, IRDA, X.25, AX.25, Bluetooth, IUCV, INET6 (aka IPV6), PPP over X and ISDN. Except for IPV6 (Internet Protocol Version 6) and Bluetooth, many of you may never even have heard of most of those protocols, never mind used them.

That said, if the code for those protocols is in your Linux kernel, your Linux is vulnerable. Most of you, whether you know it or now, have one or more of those protocols active on your system, so this is not a small problem.

Fortunately, there are fixes. Instead of trying to clean up the protocol implementations one by one--I mean seriously does anyone actually use IUCV (Inter-User Communications Vehicle), an old IBM VM networking protocol?--Linus Torvalds elected to force all these protocols to use kernel_sendpage(), which does the right thing with code having this problem. As Torvalds wrote on the LKML (Linux Kernel Mailing List), "Now, arguably this might be something that we could instead solve by just specifying that all protocols should do it themselves at the protocol level, but we really only care about the common protocols. Does anybody really care about sendpage on something like Appletalk? Not likely."

So, the latest versions of the Linux kernel, 2.6.27.30 and 2.6.30.5, and for those using old Linux versions, Linux kernel 2.4.37.5, include this universal fix. Of course, you have to get that fix into what you're actually running.

Most of the Linux vendors are rapidly pushing out the patch. Ubuntu has released it for its entire family from Ubuntu 6.06 to Ubuntu 9.04. This will also eventually cover Ubuntu downstream distributions like Mint. Tiennes has also written a grsecurity package to protect Debian and Ubuntu users .

For Red Hat Linux users, there is a work-around, but you should know that there are reports that it doesn't cover all the bases. CentOS, which is based on Red Hat Linux, is recommending a similar fix, but it probably has similar problems. There is, however, a fix that's now available for Fedora 11.

Novell's SLE (SUSE Linux Enterprise) and openSUSE just released patches today for all currently supported versions.

If I haven't listed your distribution, check with your vendor or community. Within a few days, at most, you should have a fixed, and secure, Linux system.

Join the discussion
Be the first to comment on this article. Our Commenting Policies