Announcement

Collapse
No announcement yet.

DisplayLink DRM Driver Had A Local Privilege Escalation Vulnerability

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DisplayLink DRM Driver Had A Local Privilege Escalation Vulnerability

    Phoronix: DisplayLink DRM Driver Had A Local Privilege Escalation Vulnerability

    CVE-2018-8781 was made public today as a new local privilege escalation vulnerability in the mainline Linux kernel that has been present since the Linux 3.4 kernel release six years ago...

    http://www.phoronix.com/scan.php?pag...-CVE-2018-8781

  • #2
    We need to rewrite this in Rust or better stop using Linux, so nobody will ever find and report anything. /sarcasm
    Last edited by Pawlerson; 05-02-2018, 10:25 AM.

    Comment


    • #3
      Originally posted by Pawlerson View Post
      We need to rewrite this in Rust or better stop using Linux, so nobody will ever find report anything.
      Not everything can be fixed using Rust. Last time I checked, about 70% of the vulnerabilities in Linux could have been prevented, but there are still logic errors difficult to track. In any case, with such a big codebase, it's impossible to port it to any other language. Looking forward to Redox, though.

      Comment


      • #4
        Originally posted by Pawlerson View Post
        We need to rewrite this in Rust or better stop using Linux, so nobody will ever find report anything.
        Having half-decent code analysis tools would also help, in the real world.

        Comment


        • #5
          There are plenty of Rust fanatics out there... I will do a search for what's so special about Rust as people can use Rust to write vulnerable code or create a backdoor. All program languages have flaws.

          Comment


          • #6
            Originally posted by Pawlerson View Post
            We need to rewrite this in Rust or better stop using Linux, so nobody will ever find report anything.
            Release builds of Rust programs do not check integer overflow. A Rust version of this program, all else being equal, could have the exact same bug.
            Last edited by microcode; 05-02-2018, 09:25 AM.

            Comment


            • #7
              Originally posted by microcode View Post

              Release builds of Rust programs do not check integer overflow. A Rust version of this program, all else being equal, could have the exact same bug.
              People also seem to forget that Rust also does not magically protect against logic bugs.

              Comment


              • #8
                I think I've only ever seen one DisplayLink monitor in use. I don't think this technology is very popular.

                Comment


                • #9
                  Originally posted by cybertraveler View Post
                  I think I've only ever seen one DisplayLink monitor in use. I don't think this technology is very popular.
                  Because most monitors don't require the bandwith it provides. Mostly used on professional and high-end monitors like Acer XB271HU.

                  Comment


                  • #10
                    Originally posted by GraysonPeddie View Post
                    There are plenty of Rust fanatics out there... I will do a search for what's so special about Rust as people can use Rust to write vulnerable code or create a backdoor. All program languages have flaws.
                    Yep, you can use "unsafe" code blocks for those things. The nice thing is that they have to be explicit and makes debugging these kind of vulnerabilities much easier. It wouldn't be nice if you couldn't do any "risky" things, if you really want to. It's just safe by default, but you can explicitly write unsafe code. There are probably a lot of "fanatics" out there, but it's true that in safety critical applications, Rust can be beneficial.

                    Originally posted by microcode View Post

                    Release builds of Rust programs do not check integer overflow. A Rust version of this program, all else being equal, could have the exact same bug.
                    It's partly true: they don't check integer overflow by default, buy you should use the wrapper types that do check for it in safety crytical parts of the code.

                    Originally posted by ssokolow View Post

                    People also seem to forget that Rust also does not magically protect against logic bugs.
                    True, many logic bugs are not avoided, but since Rust uses exhaustive pattern matching and favors iterators, it can avoid some logic bugs. Nevertheless, my comment about bugs that could be avoided was related to about 70% of the kernel security bugs in 2016 being off-by-one, double frees, data races and segmentation faults.

                    Comment

                    Working...
                    X