It’s not often that you actually hear about a security hole being found in Linux.  Most of that is because Linux is eminently more secure than most operating systems.  Part of it though, is something of a conspiracy to downplay Linux vulnerabilities as a “denial of service” and not a “security hole in the kernel”.

Still, bugs do happen.  Security holes do pop up, even in Linux.  And Brad Spengler of grsecurity has found himself one.  It’s the “Null pointer dereference” bug, and it’s found even in versions 2.6.30 and 2.6.30.1 of the Linux kernel.  Strangely enough, it seems that the exploit only works when SELinux (Security-Enhanced Linux) is enabled.  Turn on security for insecurity?  So it seems.  Though it has been also found when other features are installed, like PulseAudio.

The basic bug comes down to just what the name suggests.  When compiling the kernel there are places in the code where it is supposed to check to ensure that a variable doesn’t point to NULL.  Such as in net/tun.  However, when compiling with optimizations as is so often done, the compiler removes the code to perform these checks.  Thereby creating a nice security hole where the kernel can be made to access code in forbidden places in memory.

The odd thing is, so far, most of the Linux community, including Linus Torvalds himself, is unimpressed as to the danger of the security hole.  And perhaps they have some bit of a point, in that so far it can’t actually be used for remote access, and the only proof of concept that Spengler is offering involves using Setuid, which is itself a rather embarrassing gaping security hole in Linux.

But it of course brings up a lot of tricky security questions which the Linux community rather doesn’t want to admit or answer, like why holes such as these aren’t immediately and permanently fixed, as is so often done in the open-source community when bugs are found?

Sometimes you almost feel like everyone is Microsoft these days…