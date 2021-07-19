Programming Leftovers and Free Software
Project Zero: Racing against the clock -- hitting a tiny kernel race window
I recently discovered a race condition (https://crbug.com/project-zero/2247) in the Linux kernel. (While trying to explain to someone how the fix for CVE-2021-0920 worked - I was explaining why the Unix GC is now safe, and then got confused because I couldn't actually figure out why it's safe after that fix, eventually realizing that it actually isn't safe.) It's a fairly narrow race window, so I was wondering whether it could be hit with a small number of attempts - especially on kernels that aren't built with CONFIG_PREEMPT, which would make it possible to preempt a thread with another thread, as I described at LSSEU2019.
This is a writeup of how I managed to hit the race on a normal Linux desktop kernel, with a hit rate somewhere around 30% if the proof of concept has been tuned for the specific machine. I didn't do a full exploit though, I stopped at getting evidence of use-after-free (UAF) accesses (with the help of a very large file descriptor table and userfaultfd, which might not be available to normal users depending on system configuration) because that's the part I was curious about.
This also demonstrates that even very small race conditions can still be exploitable if someone sinks enough time into writing an exploit, so be careful if you dismiss very small race windows as unexploitable or don't treat such issues as security bugs.
Horn: Racing against the clock
Jann Horn describes in great detail the process he went through to exploit a tiny race window in the kernel.
RedisJSON 2 Adds Indexing Option
Redis has introduced RedisJSON 2, an enhanced version of the Redis module that implements the JSON Data Interchange Standard as a native data type. The module can be used to store, update and fetch JSON values from Redis documents.
Redis is an open source, BSD licensed, advanced key-value store where the keys can contain strings, hashes, lists, sets and sorted sets. It’s popular for web development as a session state store because of its simplicity and rich data structure support.
Yoast WordPress SEO Bug Creates Duplicate Sitemaps
A sharp-eyed search marketer noticed that Yoast was generating duplicate sitemaps. It’s not known how long this has been happening, but the head of SEO at Yoast acknowledged the bug and noted that Yoast is aware of the problem and says it is working on a fix.
Let me tell you about curl | daniel.haxx.se
This is a recorded online presentation about curl that I did today, March 24 2022. How it started, grew, where it is today, how we make it and where it perhaps might go in the future.
School's back in session at Open Source 101
Join us next week for Open Source 101, a one-day conference where we'll dive into the latest around FOSS virtual & augmented reality, and look at the implications of enabling automated testing upstream!
Designed for developers, technologists, students and decision makers alike, this educational event will touch on different tools and processes that are integral to navigating different aspects of open source. It's an excellent opportunity for novice learners but also for those more experienced to reinforce any insights that they might have,
Hamsket – SparkyLinux
Free, Open Source and Cross Platform messaging and emailing app that combines common web applications into one.
