@vegard@mastodon.social
@vegard@mastodon.social avatar

vegard

@vegard@mastodon.social

Linux kernel, open source. SAT solvers, cryptography, GPU and graphics programming, compilers, fuzzing, security.

Former Ksplicer.

The views expressed on this website are my own and do not reflect the views of Oracle.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

kernellogger, to linux
@kernellogger@fosstodon.org avatar

Jeremy Allison writes:

'" The data shows that “frozen” vendor kernels, created by branching off a release point and then using a team of engineers to select specific patches to back-port to that branch, are buggier than the upstream “stable” Linux created by Greg Kroah-Hartman. '"

https://ciq.com/blog/why-a-frozen-linux-kernel-isnt-the-safest-choice-for-security/

vegard,
@vegard@mastodon.social avatar

@kernellogger On the other hand, what's the difference between a distro branching off and backporting stuff from mainline and upstream stable branching off and backporting stuff from mainline? Why can the upstream stable maintainers do this and "a team of engineers" cannot? I think the difference could be better characterized and (if you pardon the expression) makes all the difference.

vegard, to random
@vegard@mastodon.social avatar

I found myself on Google Maps.

In a satellite picture.

🤯

pervognsen, (edited ) to random
@pervognsen@mastodon.social avatar

Had a very weird first 24 hours back in Europe until I realized (after noticing this for two different kinds of bottles with screw-off plastic caps) that the plastic caps don't detach anymore from the collar. That's new since last year. EU regulation apparently?

vegard,
@vegard@mastodon.social avatar

@pervognsen Some of them are really annoying if you want to pour from the bottle if they aren't tight enough because the whole thing will rotate around and you'll effectively pour into the cap and splash everywhere.

But you get used to it and take precautions.

vegard, to infosec
@vegard@mastodon.social avatar

Good comment describing how various CAP_* are de facto equivalent to root: https://lwn.net/Articles/971891/

This is not news, of course, but it's interesting to see it spelled out. Are there other pages/lists like this? Maybe even a cap-to-root script/program..?

kernellogger, (edited ) to linux
@kernellogger@fosstodon.org avatar

The Kernel Report - Jonathan Corbet (@corbet), @LWN

The recording of this recent talk is now available on the #ossna2024 schedule page: https://ossna2024.sched.com/event/1aBNs/the-kernel-report-jonathan-corbet-lwnnet

Slides can be found here: https://static.lwn.net/talks/2024/kr-ossna.pdf

Direct link to the recording: https://www.youtube.com/watch?v=DAqjl_x4hZc

#Linux #kernel #LinuxKernel

vegard,
@vegard@mastodon.social avatar

@kernellogger @corbet @gregkh In this talk, Jon repeats the line that future LTS stable kernels will only be maintained for 2 years -- is that current or just a remnant of the misconception from last year?

vegard,
@vegard@mastodon.social avatar

@corbet @kernellogger @gregkh https://mastodon.social/@gregkh@social.kernel.org/111415774008482555

vegard,
@vegard@mastodon.social avatar

@monsieuricon @kees @kernellogger @corbet @gregkh Thanks for the clarifications -- I guess there is a subtle (but significant) difference between "they're going to drop that back to just two years of support for the long-term stable releases" (literal quote) vs. "we start out at 2 and extend as needed" (paraphrased FAQ + parent toot).

vegard, to random
@vegard@mastodon.social avatar

Are these all the special sections that run code on program init/exit? Did I miss any?

.section .preinit_array; .quad fun
.section .init, "ax"; callq fun
.section .init_array; .quad fun
.section .ctors, "aw"; .quad fun
.section .dtors, "aw"; .quad fun
.section .fini_array; .quad fun
.section .fini, "ax"; callq fun

vegard,
@vegard@mastodon.social avatar

@amonakov 🤔 well, obviously there's _start/main and ld.so itself but I meant more like "things I can link with an existing program/library and have it run without modifying anything else".

@pervognsen So .ctors.* and .dtors.* work, anything else..?

vegard, to random
@vegard@mastodon.social avatar

Underrated // playlist, if you're into that kind of thing: https://www.youtube.com/playlist?list=PL174BD0BBD87B53FA

vegard,
@vegard@mastodon.social avatar

@pervognsen Yeah, I guess YouTube isn't the main place people listen to this kind of thing. I was just looking at the view counts which are in the low Ks for most of them (and with likes in low double digits)

vegard, to random
@vegard@mastodon.social avatar

One fucking hour into the holiday and a truck backs into our car at a stop light, what the fuck? At least nobody got hurt. Need a new car though. Gah

vegard, to random
@vegard@mastodon.social avatar

No further comment 😡

vegard,
@vegard@mastodon.social avatar

Anything can be a paper if you just use LaTeX. Get that nice veneer of Real Science(TM) on your blog post

vegard, to random
@vegard@mastodon.social avatar

Self-balancing trees are really interesting. When a tree or branch becomes horizontally oriented or if the tree experiences some form of stress that affects its balance, the distribution of auxin can be altered. Auxin tends to accumulate on the lower side of the tilted branch due to gravity (a phenomenon called gravitropism). This reduces the suppression exerted by auxin on the lower lateral buds (allowing them to become more active) and causes upward growth from a new apical meristem.

vegard, to random
@vegard@mastodon.social avatar

lol

vegard, to random
@vegard@mastodon.social avatar

Saw this in a HackerNews comment:

https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/scripts/xz_wrap.sh?h=next-20240328#n34

That is indeed scary -- exactly the kind of thing that sort of makes sense in isolation (xz --robot --version outputs some environment variables) and then just becomes a gadget for exploitation if xz were to start outputting something different there...

vegard, to random
@vegard@mastodon.social avatar

Sock puppets pressuring the maintainer to pass the baton? https://www.mail-archive.com/xz-devel@tukaani.org/msg00566.html This is UGLY.

Let's remember to be kind to each other and to Lasse, who perhaps is the worst affected victim here.

vegard, to random
@vegard@mastodon.social avatar

Upstream backdoor discovered in xz-utils/liblzma: https://www.openwall.com/lists/oss-security/2024/03/29/4

It seems to affect ssh authentication.

As far as we know, only xz-utils 5.6.0/5.6.1 are affected and these are luckily not yet widely deployed.

vegard,
@vegard@mastodon.social avatar

@christian Thanks... this was pointed out by @brenns10 as well, but I think this only happens if your sshd doesn't link with systemd/liblzma? Anyway, yeah, a bit unfortunate, hopefully those that need it will figure it out.

vegard,
@vegard@mastodon.social avatar

@christian @brenns10

Does it fit in a toot?

#! /bin/bash

set -u

find path to liblzma used by sshd

path="$(ldd $(which sshd) | grep liblzma | grep -o '/[^ ]*')"

does it even exist?

if [ "$path" == "" ]
then
echo probably not vulnerable
exit
fi

check for function signature

if hexdump -ve '1/1 "%.2x"' "$path" | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410
then
echo probably vulnerable
else
echo probably not vulnerable
fi

vegard, to random
@vegard@mastodon.social avatar

On the topic of whether something is a CVE or not, "You should lean on the side of assigning", says CVE Board member Lisa Olson about the new CNA rules at

gregkh, to random

For your Sunday reading: https://arxiv.org/pdf/2402.05212.pdf "An Investigation of Patch Porting Practices of the
Linux Kernel Ecosystem" in which different distros, and Android, are evaluated as to how up to date they stay with upstream fixes. Note that RHEL or CentOS is not evaluated "because of the lack of public git repositories or insufficient data."

About time someone started writing papers about this stuff...

vegard,
@vegard@mastodon.social avatar

@gregkh This is interesting:

"In addition, we find that CVE is also a focus for distributions (as they are responsible for the security of their customers). In particular, [distro] maintainers usually attach a CVE ID to indicate that the patch fixes a known security vulnerability. Interestingly, we note that the picked CVE patches appear in distributions 74.2 days earlier than LTS on average; even if the picked CVE patches are later than LTS, it is only 16.7 days later on average."

vegard, to random
@vegard@mastodon.social avatar

Damn it, I hate the Android/Moto camera so much. I just took a really beautiful picture of my son building something and a few seconds later the photo has vanished, it's just gone, as if I never took it. I saw it, I had it, for a few seconds I could navigate between that and the 3-4 other pictures that I took. Then some stupid "processing service" progress bar appeared and just deleted the whole thing, I guess. Fuck software

vegard, to random
@vegard@mastodon.social avatar

"OpenELA is committing to providing a platform for developers to collaborate on the maintenance of the 4.14 Linux kernel after community support ended in January."

https://www.oracle.com/news/announcement/openela-announces-kernel-lts-project-in-support-of-linux-kernel-414-2024-03-12/

  • All
  • Subscribed
  • Moderated
  • Favorites
  • provamag3
  • rosin
  • thenastyranch
  • Durango
  • DreamBathrooms
  • ngwrru68w68
  • magazineikmin
  • cubers
  • Youngstown
  • mdbf
  • slotface
  • osvaldo12
  • GTA5RPClips
  • kavyap
  • megavids
  • InstantRegret
  • everett
  • tacticalgear
  • vwfavf
  • tester
  • normalnudes
  • modclub
  • ethstaker
  • khanakhh
  • cisconetworking
  • anitta
  • Leos
  • JUstTest
  • All magazines
    •