A remote code execution bug, which has the potential to allow arbitrary code to be run on Linux servers, has been discovered in the Linux kernel. Several Linux distributions are vulnerable, including Ubuntu and OpenSUSE. Fortunately, Red Hat Enterprise Linux and its derivative CentOS do not include the buggy code and are not at risk.
The flaw was discovered in the Linux x32 application binary interface (ABI), which was only recently activated by default in a number of popular Linux distributions. An ABI is similar in principle to an API (application programming interface), but at the level of machine code. The x32 ABI is intended to allow 32-bit code to run efficiently on 64-bit architectures. Unlike ia32, x32 allows for the running of 32-bit code in native 64-bit mode, taking advantage of the 64-bit architecture’s larger range of registers and reducing the amount of memory that that applications use. In tests, x32 was shown to be significantly more efficient than ia32, with an application like the Crafty chess engine running up to performing up to 40% better.
The bug, which was announced by Kees Cook of the Chromium project, is caused by a user-land pointer parameter which when passed to a system call is directly dereferenced by the kernel, allowing for arbitrary data to executed. The offending code is present in all Linux kernels since the 3.4 release.
According to Kees:
“The impact is a sort of arbitrary kernel write-where-what primitive by unprivileged users.”
As already noted, the x32 ABI is active in several distributions by default, including Ubuntu, some of its derivatives (although not the Mint Desktop Edition), and OpenSUSE.
However, in spite of demands from users, the ABI is not activated by default in Fedora, RHEL, or CentOS. Red Hat developer Jakub Jelinek, in a discussion about X32 support on the Red Hat dev mailing list commented back in 2012 that:
“x32 is less secure than x86–64, the possible address space randomization is much more limited there, while there is ASCII armor, it can protect just a couple of libraries, unlikely all of them. With LP64 certain kinds of exploits are harder.”
Because x32 is beneficial in only a small number of use cases, and for the most part, users will never miss it, it was decided that the risk of introducing a slew of potential vulnerabilities via the complex x32 ABI weren’t worth the potential benefits — a decision which in retrospect has proven to be well founded.
So, CentOS users can rest easy. Their servers are immune to this particular bug. If you want to know more about the Linux x32 ABI, there’s an excellent description on LWM.
Photo credits: Stu’s Images