Scale
- which is based on
Debian. Doubly good, that, so I went off checking what I may need for
it.
if
/else
choice can be hard-coded, instead of being run-time evaluated every time. Such branches can be updated too (the kernel just rewrites the code to switch around the branch ). All these principles apply to static calls as well, but they re for replacing indirect function calls (i.e. a call through a function pointer) with a direct call (i.e. a hard-coded call address). This eliminates the need for Spectre mitigations (e.g. RETPOLINE) for these indirect calls, and avoids a memory lookup for the pointer. For hot-path code (like the scheduler), this has a measurable performance impact. It also serves as a kind of Control Flow Integrity implementation: an indirect call got removed, and the potential destinations have been explicitly identified at compile-time.
network RNG improvementsCAP_SETGID
(instead of to just any group), providing a way to keep the power of granting this capability much more limited. (This isn t complete yet, though, since handling setgroups()
is still needed.)
improve kernel s internal checking of file contentsset_fs()
, Christoph Hellwig made it possible for set_fs() to be optional for an architecture. Subsequently, he then removed set_fs()
entirely for x86, riscv, and powerpc. These architectures will now be free from the entire class of kernel address limit attacks that only needed to corrupt a single value in struct thead_info
.
sysfs_emit() replaces sprintf() in /syssprintf()
and snprintf()
in /sys
handlers by creating a new helper, sysfs_emit()
. This will handle the cases where kernel code was not correctly dealing with the length results from sprintf()
calls, which might lead to buffer overflows in the PAGE_SIZE
buffer that /sys
handlers operate on. With the helper in place, it was possible to start the refactoring of the many sprintf()
callers.
nosymfollow mount optionnosymfollow
mount option. This entirely disables symlink resolution for the given filesystem, similar to other mount options where noexec
disallows execve()
, nosuid
disallows setid bits, and nodev
disallows device files. Quoting the patch, it is useful as a defensive measure for systems that need to deal with untrusted file systems in privileged contexts. (i.e. for when /proc/sys/fs/protected_symlinks
isn t a big enough hammer.) Chrome OS uses this option for its stateful filesystem, as symlink traversal as been a common attack-persistence vector.
ARMv8.5 Memory Tagging Extension support-Warray-bounds
compiler flag and clear the path for saner bounds checking of array indexes and memcpy()
usage.
That s it for now! Please let me know if you think anything else needs some attention. Next up is Linux v5.11.
2022, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
5371 Luca Falavigna 5121 Alexander Reichle-Schmehl 4401 Ansgar Burchardt 3928 DAK's auto-decrufter 3257 Scott Kitterman 2225 Joerg Jaspert 1983 James Troup 1793 Torsten Werner 1025 Jeroen van Wolffelaar 763 Ryan MurrayFor comparison, here is the number removals by year for the past 6 years:
5103 2011 2765 2012 3342 2013 3394 2014 3766 2015 (1842 removed by auto-decrufter) 2845 2016 (2086 removed by auto-decrufter)Which tells us that in 2015, the FTP masters and the decrufter performed on average over 10 removals a day. And by the looks of it, 2016 will surpass that. Of course, the auto-decrufter has a tendency to increase the number of removed items since it is an advocate of remove early, remove often! . Data is from https://ftp-master.debian.org/removals-full.txt. Scoreboard computed as:
grep ftpmaster: removals-full.txt \ perl -pe 's/.*ftpmaster:\s+//; s/\]$//;' \ sort uniq -c sort --numeric --reverse head -n10Removals by year computed as:
grep ftpmaster: removals-full.txt \ perl -pe 's/.* (\d 4 ) \d 2 :\d 2 :\d 2 .*/$1/' uniq -c tail -n6(yes, both could be done with fewer commands)
No comment Liked this article? Click here. My blog is Flattr-enabled.
preferences.js
files.
To be able to lift the restriction that packages must be built in the same path, translation support for the __FILE__
C pre-processor macro would also be required. Joerg Sonnenberger submitted a patch back in 2010 that would still be useful today.
Chris Lamb started work on providing a deterministic mode for debootstrap.
Packages fixed
The following packages have become reproducible due to changes in their
build dependencies:
bouncycastle,
cairo-dock-plug-ins,
darktable,
gshare,
libgpod,
pafy,
ruby-redis-namespace,
ruby-rouge,
sparkleshare.
The following packages became reproducible after getting fixed:
SOURCE_DATE_EPOCH
in the documentation generator.Makefile
.tmpfs
. (h01ger)
200 GiB have been added to jenkins.debian.net (thanks to ProfitBricks!) to make room for new jobs. The current count is at 962 and growing!
diffoscope development
Aside from some minor bugs that have been fixed, a one-line change made huge memory (and time) savings as the output of transformation tool is now streamed line by line instead of loaded entirely in memory at once.
disorderfs development
Andrew Ayer released disorderfs version 0.4.2-1 on December 22th. It fixes a memory corruption error when processing command line arguments that could cause command line options to be ignored.
Documentation update
Many small improvements for the documentation on reproducible-builds.org sent by Georg Koppen were merged.
Package reviews
666 (!) reviews have been removed, 189 added and 162 updated in the previous week.
151 new fail to build from source reports have been made by Chris West, Chris Lamb, Mattia Rizzolo, and Niko Tyni.
New issues identified: unsorted_filelist_in_xul_ext_preferences, nondeterminstic_output_generated_by_moarvm.
Misc.
Steven Chamberlain drew our attention to one analysis of the Juniper ScreenOS Authentication Backdoor: Whilst this may have been added in source code, it was well-disguised in the disassembly and just 7 instructions long. I thought this was a good example of the current state-of-the-art, and why we'd like our binaries and eventually, installer and VM images reproducible IMHO.
Joanna Rutkowska has mentioned possible ways for Qubes to become reproducible on their development mailing-list.
Next.