The Linux Kernel Had Many Vulnerabilities Last Year
Written by Michael Larabel in Linux Kernel on 19 January 2016 at 01:06 PM EST. 1 Comment
LINUX KERNEL --
While today's 0-day local privilege escalation bug is making the news rounds on the Internet, there were many other security vulnerabilities discovered within the Linux kernel last year -- many of which didn't receive as much attention and some of them are even yet to be resolved.

In light of today's news is a new kernel mailing list thread about 2015 CVEs for the Linux kernel. There were 75 CVEs issued for the Linux kernel last year, five of the CVEs have yet to be patched, and one of the CVEs is still private.

CVE-2015-8575 is the one still private that also hasn't been patched yet. The only details on that one are related to net/bluetooth. The other yet to be resolved CVEs deal with the file-system, ptrace, and KVM code. In terms of the CVEs for the Linux kernel from last year, Dan Carpenter explained in his post:
There was only a coupls CVEs that looks like they came from a filesystem fuzzer where you create a corrupt filesystems and then try use them. There was only one that might have come from a USB fuzzer. We probably should be testing those things better.

There was one CVE from Smatch. Smatch has improved, inspired by the ozwpan bugs and hopefully could catch most of those bounds errors now.

Quite a few bugs were found using the Trinity fuzzer. Also the new syzkaller fuzzer seems to have found a bunch of stuff. Good work. I think people are using the fuzzers with kasan as well which is a fantastic tool.

Many of the use-after-free and unintialized data bugs would be less harmful if we had some kernel hardenning patches.

A lot of the bugs are just really complicated things with funny corner cases, namespace issues or people just made mistake in the logic and it's hard to do anything about it.
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Related Linux Kernel News
Popular News