heads up: kernel regression in CentOS 2.6.32 and OpenVZ 2.6.18/2.6.32 kernels creates local DoS (reb

[kaniini]

Rack911 posted a vulnerability to oss-security earlier this evening.

[temp removed]

We (my company) did some of the low-level debugging work on this vulnerability and developed an exploit which reliably triggered it.  It is a race condition related to RCU of kernel data structures in the IPv4 stack.

We decided to release it publically because there was already POC code from a similar bug from 2003 that had about a 50% chance of whacking it anyway.

CVE number will be forthcoming.

 

[Steven]

Well I guess this made it here. All started with us trying to break betterlinux, after we discovered a exploit from 2003 caused some odd behavior we had kaniini take a look and he made it a fully reproducible poc.

 

[Francisco]

Tested it against latest .18 and latest dev .32's.

Annoying

Francisco

 

[rds100]

Damn, i hate reboots for kernel upgrades. Ant the customers hate it too.

 

[kaniini]

Fix: http://turtle.dereferenced.org/~nenolod/hemlock-fix.patch

I am sure someone can build an RPM with this in it.  Personally, dealing with rpmbuild is something I would rather not do.

 

[maounique]

So this is probably related with our nodes reboots for ovz. If this fixes it, then we can restart selling those

I always suspected there is some exploit and someone is running it randomly on a handful of nodes (very old nodes are not affected).

Also, oddly, after we took out the stock and decided not to sell ovz anymore, these reboots halved or so.

 

[Nick_A]

Yeah rebooting again right now would be rough.

 

[SeriesN]

Dangit! Discovered it this weekend and was planning to update by next sunday but it is public now .

 

[Francisco]

Dangit! Discovered it this weekend and was planning to update by next sunday but it is public now .

Been trying to get a ksplice to generate but it's being annoying. I've yet to build a 2.6.32 ksplice so I'm running into a few derps for sure.

Francisco

 

[SeriesN]

Been trying to get a ksplice to generate but it's being annoying. I've yet to build a 2.6.32 ksplice so I'm running into a few derps for sure.


Francisco

Sir,

You HAZ Ksplice? @_@

 

[Francisco]

Sir,

You HAZ Ksplice? @_@

Not on a paid subscription. We roll our own to patch things when we don't want to reboot 90 nodes. It's easier to distro a 100k patch than reboot everyone

To date we've had to roll a half dozen or so ksplices, usually to fix deadlocks. Ksplice is giving me attitude over .32, though, so we'll see.

Francisco

 

[SeriesN]

Not on a paid subscription. We roll our own to patch things when we don't want to reboot 90 nodes. It's easier to distro a 100k patch reboot everyone


To date we've had to roll a half dozen or so ksplices, usually to fix deadlocks. Ksplice is giving me attitude over .32, though, so we'll see.


Francisco

Are you willing to "license" out your Ksplice and patches? I am sure some unfortunate soul would appreciate that.

 

[Francisco]

Are you willing to "license" out your Ksplice and patches? I am sure some unfortunate soul would appreciate that.

Let me get this damn thing to compile properly before I start giving things away

Charging for opensource things is wrong, especially since kaniini wrote the patch my builds based from.

Francisco

 

[SeriesN]

Let me get this damn thing to compile properly before I start giving things away


Charging for opensource things is wrong, especially since kaniini wrote the patch my builds based from.


Francisco

Well, people charge for "PHP" and "linux" related works. Just saying

 

[Francisco]

Well, people charge for "PHP" and "linux" related works. Just saying

The linux people charge for support Anyways that's another subject all together.

Right now i've patched against 76.8 and just waiting for it to chew through. I've given the thing an E3 to run on but it seems it isn't forking multiple threads like I was hoping.

Francisco

 

[Aldryic C'boas]

We're in the business of selling VPSes - why does everyone keep assuming we exist to do their coding work for them?

 

[SeriesN]

We're in the business of selling VPSes - why does everyone keep assuming we exist to do their coding work for them?

Cause You are GOOOOOD at it. Good morning boss, grab a coke and cheer up

 

[Aldryic C'boas]

Doesn't mean we work for free.. and no amount of caffeine or liquor is going to make me start believing that we should function as a free, public helpdesk <_<

 

[SeriesN]

Are you willing to "license" out your Ksplice and patches? I am sure some unfortunate soul would appreciate that

 

Doesn't mean we work for free.. and no amount of caffeine or liquor is going to make me start believing that we should function as a free, public helpdesk

Me Tell before but Big Unicorn Said NOOOOOOOOOOOOOOOOOOOOOOOOOOOO

 

[Magiobiwan]

Is the 2.6.18 kernel line affected? Namely the latest stable version kernel.