Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] Modern C for Fedora (and the world)
It can be instructive to pull down the dog-eared copy of the first edition of The C Programming Language that many of us still have on our bookshelves; the language has changed considerably since that book was published. Many "features" of early C have been left behind, usually for good reasons, but there is still a lot of code in the wild that is still using those features. A concerted effort is being made in both the Fedora and GCC communities to fix that old code and enable some new errors in the GCC 14 release (which is in stage 3 of its development cycle and likely to be released by mid-2024), but a fair amount of work remains to be done.
[$] Controlling shadow-stack allocation in clone3()
User-space shadow stacks are a relatively new feature in Linux; support was only added for 6.6, and is limited to the x86 architecture. As support for other architectures (including arm64 and RISC-V) approaches readiness, though, more thought is going into the API for this feature. As a recent discussion on the integration of shadow stacks with the clone3() system call shows, there are still some details to be worked out.
[$] LWN.net Weekly Edition for December 7, 2023
Posted Dec 7, 2023 0:58 UTC (Thu)The LWN.net Weekly Edition for December 7, 2023 is available.
Inside this week's LWN.net Weekly Edition
- Front: OpenPGP disagreement; !CVE; Binder in Rust; Nouveau driver; Proxy execution.
- Briefs: Spectre SLAM; CXL microconference; Django 5.0; GDB 14.1; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] A schism in the OpenPGP world
The OpenPGP standard for email encryption has been around since 1997, when it was derived from the venerable Pretty Good Privacy (PGP) program that was released in 1991. Since it came about, OpenPGP has been the decentralized, interoperable way to exchange encrypted email, though its use never really took off as advocates hoped. Now, though, it would seem that a split in the OpenPGP community threatens to fragment the OpenPGP-encrypted-email landscape, potentially leading to interoperability woes.
[$] Supplementing CVEs with !CVEs
The Common Vulnerabilities and Exploits
(CVE) system is the main mechanism for tracking various security
flaws,
using the omnipresent CVE number—even vulnerabilities with fancy names and
web sites
have CVE numbers. But the CVE system is not without its critics and, in
truth, the incentives between the reporting side and those responsible for
handling the bugs have always been misaligned, which leads to abuse of
various kinds. There have been efforts to
combat some of those abuses along the way; a newly announced
"!CVE" project is meant to track vulnerabilities "that are not
acknowledged by vendors but
still are serious security issues
".
[$] What remains to be done for proxy execution
The kernel's deadline scheduling class offers a solution to a number of realtime (or generally latency-sensitive) problems, but it is also resistant to the usual solutions for the priority-inversion problem. The development community has been pursuing proxy execution as a solution to a few scheduling challenges, including this one; the problem is difficult and progress has been slow. LWN last looked at proxy execution in June; at the 2023 Linux Plumbers Conference, John Stultz gave an overview of proxy execution, the current status of the work, and the remaining problems to solve.
[$] A Nouveau graphics driver update
Support for NVIDIA graphics processors has traditionally been a sore point for Linux users; NVIDIA has not felt the need to cooperate with the kernel community or make free drivers available, and the reverse-engineered Nouveau driver has often struggled to keep up with product releases. There have, however, been signs of improvement in recent years. At the 2023 Linux Plumbers Conference, graphics subsystem maintainer Dave Airlie provided an update on the state of support for NVIDIA GPUs and what remains to be done.
[$] A Rust implementation of Android's Binder
The Android system was once famous for extensive, out-of-tree kernel enhancements. Many of those have been eliminated or upstreamed over the years, bringing Android much closer to the mainline kernel. One significant component in the "upstreamed" category is Binder, an interprocess communication mechanism that is used only by Android. There are a number of factors that make Binder a good candidate for rewriting in the Rust language; at the 2023 Linux Plumbers Conference, Carlos Llamas and Alice Ryhl described the motivation behind and implementation of a rewrite of Binder in Rust.
LWN.net Weekly Edition for November 30, 2023
Posted Nov 30, 2023 0:18 UTC (Thu)The LWN.net Weekly Edition for November 30, 2023 is available.
Inside this week's LWN.net Weekly Edition
- Front: Kernel samepage merging; Drgn; Klint; Realtime preemption; 2023 Kernel Maintainers Summit.
- Briefs: GNU Name System; Firefox 120; Git 2.43; LibreQoS 1.4; NVK; PipeWire 1.0; Rust 1.74; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
An overview of kernel samepage merging (KSM)
In the Kernel Summit track at the 2023 Linux Plumbers Conference (LPC), Stefan Roesch led a session on kernel samepage merging (KSM). He gave an overview of the feature and described some recent changes to KSM. He showed how an application can enable KSM to deduplicate its memory and how the feature can be evaluated to determine whether it is a good fit for new workloads. In addition, he provided some real-world data of the benefits from his workplace at Meta.
A bunch of new stable kernels
The 6.6.5, 6.1.66, 5.15.142, 5.10.203, 5.4.263, 4.19.301, and 4.14.332 stable kernels have been released. As usual, they contain important fixes throughout the kernel tree.
Security updates for Friday
Security updates have been issued by Fedora (chromium), Mageia (firefox, thunderbird, and vim), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container), and Ubuntu (freerdp2, glibc, and tinyxml).
Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack (ars technica)
This ars technica article describes how secure-boot firmware on a huge range of systems can be subverted with a malicious image file:
As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running. Image parsers in UEFIs from all three major IBVs [independent BIOS vendors] are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process.
Security updates for Thursday
Security updates have been issued by Debian (tzdata), Fedora (gmailctl), Oracle (kernel), Red Hat (linux-firmware, postgresql:12, postgresql:13, and squid:4), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, frr, libtorrent-rasterbar, qbittorrent, openssl-3, openvswitch, openvswitch3, and suse-build-key), and Ubuntu (bluez, curl, linux, linux-aws, linux-azure, linux-laptop, linux-lowlatency, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-gcp, open-vm-tools, postgresql-12, postgresql-14, postgresql-15, and python-cryptography).
SLAM: a new Spectre technique
Many processor vendors provide a mechanism to allow some bits of a pointer value to be used to store unrelated data; these include Intel's linear address masking (LAM), AMD's upper address ignore, and Arm's top-byte ignore. A set of researchers has now come up with a way (that they call "SLAM") to use those features to bypass many checks on pointer validity, opening up a new set of Spectre attacks.
In response to SLAM, Intel made plans to provide software guidance prior to the future release of Intel processors which support LAM (e.g., deploying LAM jointly with LASS). Linux engineers developed patches to disable LAM by default until further guidance is available. ARM published an advisory to provide guidance on future TBI-enabled CPUs. AMD did not implement guidance updates and pointed to existing Spectre v2 mitigations to address the SLAM exploit described in the paper.
See the full paper for the details.
Security updates for Wednesday
Security updates have been issued by Fedora (chromium, clevis-pin-tpm2, firefox, keyring-ima-signer, libkrun, perl, perl-PAR-Packer, polymake, poppler, rust-bodhi-cli, rust-coreos-installer, rust-fedora-update-feedback, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sequoia-wot, rust-sevctl, rust-snphost, and rust-tealdeer), Mageia (samba), Red Hat (postgresql:12), SUSE (haproxy and kernel-firmware), and Ubuntu (haproxy, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-lowlatency, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-6.1, and redis).
Security updates for Tuesday
Security updates have been issued by Debian (roundcube), Fedora (java-latest-openjdk), Mageia (libqb), SUSE (python-Django1), and Ubuntu (request-tracker4).
Django 5.0 released
Version 5.0 of the Django web framework is out. Significant changes include database-computed default values, field groups in the templating system, and more; see the release notes for details.
GDB 14.1 released
Version 14.1 of the GDB debugger is out. Changes include initial support for the debugger adapter protocol, NO_COLOR support, the ability to work with integer types larger than 64 bits, a number of enhancements to the Python API, and more.
Bueso: LPC 2023: CXL Microconference
Davidlohr Bueso has posted a
summary of the CXL microconference at the recently concluded Linux
Plumbers Conference. "The goals for the track were to openly discuss
current on-going development efforts around the core driver, as well as
experimental memory management topics which lead to accommodating kernel
infrastructure for new technology and use cases.
"