Linux Security News Archives

With the Linux 6.2 release kernel developers addressed "a tasty target for attackers" after it was realized that the per-CPU entry data was not being randomized, even in the presence of Kernel Address Space Layout Randomization (KASLR). The per-CPU entry area randomization has been present since Linux 6.3 but then was realized it's being activated even if KASLR was disabled, so now that is changing to avoid possible confusion.

Ahead of the Linux 6.3-rc1 release later today, a set of "x86/urgent" patches were sent out Sunday morning that include the change to allow Single Threaded Indirect Branch Predictors (STIBP) to be used in the presence of legacy Indirect Branch Restricted Speculation (IBRS) for security reasons.

The Linux kernel since last year has mistakenly left systems relying on the original Indirect Branch Restricted Speculation (IBRS) for Spectre V2 mitigation without Single Threaded Indirect Branch Predictor (STIBP) coverage for cross-HyperThread dealing with this Spectre vulnerability. There is a patch underway that is resolving this issue for Intel Skylake era systems.

Back in 2020 Google and the Open-Source Security Foundation (OpenSSF) came up with a "Criticality Score" to rank the importance/criticality of open-source projects. The Criticality Score is a means of quantifying the importance of an open-source project such as if in need of funding or development assistance. Criticality Score 2.0 has now been published.

Linus Torvalds merged to Linux 6.3 Git the TPM CRB support for Microsoft's controversial Pluton security co-processor that is initially found in the latest AMD Ryzen processors.

A proposed Linux kernel patch would provide a new Kconfig build time option of "CONFIG_DEFAULT_CPU_MITIGATIONS_OFF" to build an insecure kernel if wanting to avoid the growing list of CPU security mitigations within the kernel and their associated performance overhead.

Merged back in Linux 5.13 last year was Landlock for allowing unprivileged application sandboxing. Landlock allows restricting ambient rights for a set of processes and is implemented as a stackable Linux security module (LSM) for establishing safe security sandboxes. With Linux 6.2 file truncation support is added for Landlock.

Intel on Sunday posted a set of Linux patches implementing SPEC CTRL virtualization support for this VMX feature with new Intel CPUs to help with migrating virtual machines to hosts with different CPU microarchitectures where their security mitigations may be different.

As an enhancement to the out-of-the-box Linux kernel in its default x86_64 configuration, it was being eyed to enable Indirect Branch Tracking by default. That change to enable IBT by default has been picked up by TIP's x86/core branch, thus putting it on deck as material for submitting with next month's Linux 6.2 merge window.

Indirect Branch Tracking (IBT) is still being eyed for enabling as part of the default Linux x86_64 kernel configurations to provide better out-of-the-box security on supported processors. A patch sent out today continues the upstream discussion over flipping on this feature by default that is part of Intel's Control-flow Enforcement Technology (CET) for helping to defend against jump/call oriented programming attacks.

Two high severity security vulnerabilities affecting OpenSSL were made public today, which were the issues that led to Fedora 37 being delayed to mid-November to allow the release images have mitigated OpenSSL packages.

Back in August 2021 saw initial patches by Intel for "FineIBT" for the Linux kernel as aiming to combine the best of their Control-flow Enforcement Technology (CET) and Control Flow Integrity for upping the kernel security protections in an efficient manner.

While the Linux 6.1 merge window just passed and the "Call Depth Tracking" patches have been in development the past few months, it looks like that for the Linux 6.2 kernel is where that alternative mitigation technique will be introduced for helping offset some of the significant performance regressions incurred for Intel Skylake era processors as a result of recent CPU security vulnerability mitigations.

Git 2.38.1 was just released along with updates to older versions, including the new point releases of v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, and v2.37.4. The big set of Git updates today is due to two more security issues coming to light.

This morning's batch of Linux kernel point releases to existing stable series is worth upgrading to given the important security fixes.

In addition to MGLRU and Maple Tree having been merged overnight, Linus Torvalds also picked up the x86/mm changes for Linux 6.1 that will now by default warn about W+X mappings.

The x86/core changes for Linux 6.1 have been merged and are headlined by making sure an INT3 instruction is inserted after every unconditional Retpoline jump (JMP) for the Retpolines handling on both Intel and AMD processors.

The Security Enhanced Linux (SELinux) changes for Linux 6.1 but with a documentation update does provide a good reminder for a public service announcement: run-time disabling of SELinux is deprecated and will be removed in the future.

A kernel hardening security improvement on the way for Linux 6.1 is the ability to provide warning of possible memcpy() based overflows. Right now this is only a warning but it's work towards being able to address "trivially detectable" buffer overflow conditions within the kernel and in the future may be able to block such overflows from happening.

Over the summer Jason Donenfeld of WireGuard fame proposed adding getrandom() to the vDSO for better performance to enjoy by user-space developers. This past week he sent out the latest version of this proposed kernel patch where he's seeing around a ~15x speed-up with this change.

Proposed a few years ago was Kernel Address Space Isolation (KASI / ASI) for limiting data leaks with the growing number of speculative execution attacks on CPUs. Several organizations have been involved with Address Space Isolation efforts for the Linux kernel including IBM, Oracle, and Google with various approaches. Google engineers earlier this year posted a newer iteration of ASI focused on KVM use for the cloud / VMs. ASI still hasn't made it to the mainline kernel but Google engineers this week at LPC argued that it should be the path forward for mainline in better dealing with these CPU security vulnerabilities.

Longtime Linux kernel engineer Peter Zijlstra with Intel has sent out his latest "Call Depth Tracking" patches as a mitigation for Retbleed that aims to be less costly on system performance than the current mitigation approach. With this latest patch series, he indicates he hopes to soon get this code mainlined.

Back in July Intel's Peter Zijlstra proposed "Call Depth Tracking" as a mitigation approach for handling Retbleed and avoiding the "performance horror show" of Indirect Branch Restricted Speculation (IBRS) usage. Out today is the newest version of the Call Depth Tracking code and the performance benchmark results are looking very promising for lessening the pain of the Retbleed CPU mitigation performance impact.

In addition to being busy leading WireGuard, Jason Donenfeld continues working heavily on the Linux kernel's random number generator (RNG) code. For Linux 6.0, a number of RNG improvements are ready.

While relevant Intel and AMD processors have been mitigated for the recent Retbleed security vulnerability affecting older generations of processors, those mitigations currently just work for x86_64 kernels and will not work if running an x86 (32-bit) kernel on affected hardware. But it's unlikely to get fixed unless some passionate individual steps up as the upstream developers and vendors have long since moved on to just caring about x86_64.

Merged this afternoon to the mainline Linux 5.19 Git kernel and set for back-porting is a fix for a new security bug. Oracle made public CVE-2022-21505 on Tuesday as a trivial bypass to the Linux kernel's lockdown mode.

Due to the new "Retbleed" security mitigation further hurting CPU performance for affected processors, Intel engineers have revisited work on call depth tracking mitigation as an alternative to the Indirect Branch Restricted Speculation (IBRS) mitigation to help in lowering the overhead costs.

Being made public this Patch Tuesday is "RETBLEED" as two new CVEs for the latest speculative execution attacks affecting today's hardware. Retbleed exploits return instructions and is able to undermine existing defenses against Spectre Branch Target Injection (BTI).

The Linux kernel has long honored the "nordrand" kernel parameter to disable kernel use of the Intel RDRAND and RDSEED instructions if not trusting them -- either out of security concerns that they could be compromised by the vendor or running into hardware/firmware issues around RdRand usage. But the Linux kernel is preparing to drop that kernel parameter with users encouraged to use the more generic "random.trust_cpu" parameter.

Merged yesterday into Linux 5.19 as a post merge window change is making the kernel's signature verification code FIPS compliant.

Akamai Security Research today is lifting the public embargo on "Panchan", a new peer-to-peer botnet they are warning customers about that has been breaching Linux servers since March.

Hertzbleed has been made public today as a new family of side-channel attacks making use of frequency side channels. Both Intel and AMD have issued security advisories as a result.

The EFI changes for the Linux 5.19 kernel bring a few interesting changes, including the ability to access secrets injected into the boot image via Confidential Computing "CoCo" hypervisors.

Google engineer Sami Tolvanen has posted the second "request for comments" patch series on KCFI as a Control-Flow Integrity implementation better geared for Linux kernel usage than the existing CFI support.

Merged as part of Linux 5.18 is Intel's Indirect Branch Tracking (IBT) support as part of CET (Control Flow Enforcement) technology. Indirect Branch Tracking is intended to help protect against JUMP/CALL oriented attacks as part of CET's control-flow integrity protections. Meanwhile still being worked on is "FineIBT" as a more compiler-hardened version built atop Intel CET/IBT.

Linux 5.18 is bringing many random/RNG improvements thanks to the work of kernel developer Jason Donenfeld. One of the changes though that had to be backed out during the merge window was trying to get /dev/random and /dev/urandom to behave exactly the same. While reverted for now with the 5.18 code, Donenfeld has prepared a change that should get it into good shape for major architectures with the next kernel cycle.

Hitting the mainline Linux Git tree today was a rather interesting fix... It turns out that when Linux was resuming from S3 suspend, it wasn't correctly restoring the MSRs for the boot CPU around handling speculative execution mitigations.

Within minutes of the BHI speculative execution vulnerability going public, patches were merged into the mainline Linux kernel Git tree for mitigating this offshoot from Spectre V2. The Intel and Arm processors affected by BHI (also referred to as Spectre-BHB) have mitigation work plus a change also impacts AMD processors too.

The VUSec security researchers are today -- in cooperation with Intel -- disclosing another new speculative execution vulnerability... BHI is the name and it's an offshoot from Spectre V2.

Last week marked the tenth iteration of the "FGKASLR" Linux patches for providing per-function kernel address space layout randomization support.

A security researcher presented at last weekend's Free and Open source Software Developers' European Meeting (FOSDEM) conference around mitigating processor vulnerabilities like Spectre and Meltdown but with negligible performance cost.

The Linux 5.17 kernel is introducing support for the x86 straight-line speculation "SLS" mitigation with it becoming increasingly clear modern x86_64 CPUs are susceptible to speculatively executing linearly in memory past an unconditional change in control flow.

A decade old patch is set to be mainlined in the upcoming Linux 5.17 that has been carried by Google's Chrome OS kernel build for years and can help with security on Linux systems not relying upon systemd's udev.

It's been nearly two years in the making since Intel posted FGKASLR patches for improving Linux kernel security. While that work on Finer Grained / Function Granular KASLR stalled for a year, in recent months work on it was revived and in 2022 looks like this security is on a path for mainlining.

The recent activity around x86 (x86_64 included) straight-line speculation mitigation handling is set to culminate with this security feature being set for mainline with the upcoming Linux 5.17 cycle.

This week's set of "x86/urgent" changes for the Linux 5.16-rc4 kernel due out later today has some Spectre V1 fixes after kernel commits last year ended up partially messing things up around its SWAPGS handling. These fixes in turn will also likely be back-ported to relevant stable kernel series.

A year after Arm processors began mitigating straight-line speculation, Linux developers have been working on similar straight-line speculation mitigations for x86/x86_64 processors.

Kernel Address Space Layout Randomization has been common on Linux for a decade and a half now while more recently has been Function-Granular (or sometimes referred to as Finer-Grained) KASLR for further upping the security benefits by making it much harder to predict kernel address positions for attacks.

Last week Google engineers uncovered a reference count underflow issue affecting all Linux kernels going back to v4.14 in 2017. This issue led to memory leaking from one process to another and only uncovered by accident. To address this class of memory corruption issues moving forward, Google is proposing a new "Page Table Check" feature moving forward.

In addition to IO_uring improvements in Linux 5.16 itself, the Security Enhanced Linux "SELinux" patches for this new kernel cycle bring controls and auditing around IO_uring.