Hírolvasó

The memfd interface is a bit of a strange and Linux-specific beast; it was initially created to support the secure passing of data between cooperating processes on a single system. It has since gained other roles, but it may still come as a surprise to some to learn that memory regions created for memfds, unlike almost any other data area, have the execute permission bit set. That can facilitate attacks; this patch set from Jeff Xu proposes an addition to the memfd API to close that hole.

Greg Kroah-Hartman has announced the release of the 6.0.14, 5.15.84, 5.10.160, and 5.4.228 stable kernels. They contain a relatively small number of important fixes throughout the tree.

Security updates have been issued by Debian (chromium and thunderbird), Fedora (keylime, libarchive, libtasn1, pgadmin4, rubygem-nokogiri, samba, thunderbird, wireshark, and xorg-x11-server-Xwayland), Gentoo (curl, libreoffice, nss, unbound, and virtualbox), Mageia (advancecomp, couchdb, firefox, freerdp, golang, heimdal, kernel, kernel-linus, krb5, leptonica, libetpan, python-slixmpp, thunderbird, and xfce4-settings), Oracle (firefox, nodejs:16, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (samba), SUSE (chromium and kernel), and Ubuntu (linux-oem-5.17).

A Microsoft bejelentette, hogy a Microsoft Edge jövő februári frissítése véglegesen letiltja az Internet Explorer 11 (IE11) böngésző asztali verzióját egyes Windows 10-es rendszereken. Mindezt természetes megelőzte egy még június 15-i figyelmeztetés, ami arról tájékoztatta a felhasználókat, hogy véget ért az Internet Explorer támogatása, és a jövőben meg is fogják szüntetni a böngésző működését. Így […]

The post A Microsoft Edge egy jövő évi frissítése le fogja tiltani az Internet Explorer-t first appeared on Nemzeti Kibervédelmi Intézet.

A Google pénteken bejelentette, hogy tesztelési fázisba lépett a Gmail kliens oldali titkosítása (CSE). A tesztelésre 2023. január 20-ig jelentkezhetnek a Google Workspace Enterprise Plus, az Education Plus és az Education Standard ügyfelei, személyes Google fiókkal viszont nem érhető el a bétaverzió. A Gmail kliens oldali titkosításával az e-mail törzsében és mellékleteiben szereplő érzékeny adatok […]

The post Tesztelés alatt áll a Gmail ügyfél oldali titkosítási funkciója first appeared on Nemzeti Kibervédelmi Intézet.

Version 4.0.0 of the Apache SpamAssassin spam filter has been released.

Apache SpamAssassin 4.0.0 contains numerous tweaks and bug fixes over the past releases. In particular, it includes major changes that significantly improve the handling of text in international language.

As with any major release, there are countless functional patches and improvements to upgrade to 4.0.0. Apache SpamAssassin 4.0.0 includes several years of fixes that significantly improve classification and performance. It has been thoroughly tested in production systems. We strongly recommend upgrading as soon as possible.

Turns out that linking to several days old public data in order to demonstrate that Elon's jet was broadcasting its tail number in the clear is apparently "posting private information" so for anyone looking for me there I'm actually here

comments

Version 5.0.0 of the OCaml programming language is out.

The highlight of this new major version of OCaml is the long-awaited runtime support for shared memory parallelism and effect handlers. This multicore support is the culmination of more than 8 years of effort, and required a full rewrite of the OCaml runtime environment. Consequently, OCaml 5.0.0 is expected to be a more experimental version of OCaml than the usual OCaml releases.

After cleaning up the radv stuff I decided to go back and dig into the anv support for H264.

The current status of this work is in a branch[1]. This work is all against the current EXT decode beta extensions in the spec.

This contains an initial implementation of H264 Intel GPUs that anv supports. I've only tested it on Kabylake equivalents so far. It decodes some of the basic streams I've thrown at it from ffmpeg. Now this isn't as far along as the AMD implementation, but I'm also not sure I'm programming the hardware correctly. The Windows DXVA API has 2 ways to decode H264, short and long. I believe but I'm not 100% sure the current Vulkan API is quite close to "short", but the only Intel implementations I've found source for are for "long". I've bridged this gap by writing a slice header parser in mesa, but I think the hw might be capable of taking over that task, and I could in theory dump a bunch of code. But the programming guides for the hw block are a bit vague on some of the details around how "long" works. Maybe at some point someone in Intel can tell me :-)

Building:

git clone https://gitlab.freedesktop.org/airlied/mesa

git checkout anv-vulkan-video-prelim-decode

mkdir build

meson build -Dvulkan-beta=true -Dvulkan-drivers=intel -Dvideo-codecs=h264dec --prefix=<prefix>

cd build

ninja

ninja install

Running:export VK_ICD_FILENAMES=<prefix>/share/vulkan/icd.d/intel_icd.x86_64.json

export ANV_VIDEO_DECODE=1

vulkaninfo

This should show support for VK_KHR_video_queue, VK_KHR_video_decode_queue, VK_EXT_video_decode_h264.

[1] https://gitlab.freedesktop.org/airlied/mesa/-/tree/anv-vulkan-video-prelim-decode

Shadow stacks are one of the methods employed to enforce control-flow integrity and thwart attackers; they are a mechanism for fine-grained, backward-edge protection. Most of the time, applications are not even aware that shadow stacks are in use. As is so often the case, though, life gets more complicated when the Checkpoint/Restore in Userspace (CRIU) mechanism is in use. Not breaking CRIU turns out to be one of the big challenges facing developers working to get user-space shadow-stack support into the kernel.

Security updates have been issued by Debian (firefox-esr, libde265, php7.3, and thunderbird), Fedora (firefox, freeradius, freerdp, and xorg-x11-server), Oracle (firefox, prometheus-jmx-exporter, and thunderbird), Red Hat (firefox, nodejs:16, prometheus-jmx-exporter, and thunderbird), and SUSE (ceph and chromium).

Version 4.18 of the Xfce desktop environment has been released.

Since Xfce 4.16 a lot of major development happened. Our team added multiple nice new features, did a gazillion of bug fixes and did various minor improvements. Finally, all that is going to be released for your pleasure.

See the announcement for a long list of new features.

Once upon a time, Linus Torvalds would try to set a pace of about 1,000 changesets pulled into the mainline each day during the early part of the merge window. For 6.2, though, the situation is different; no less than 9,278 non-merge changesets were pulled during the first two days. Needless to say, these commits affect the kernel in numerous ways, even though there are fewer fundamental changes than were seen in 6.1.

Security updates have been issued by Debian (firefox-esr and git), Slackware (mozilla and xorg), SUSE (apache2-mod_wsgi, capnproto, xorg-x11-server, xwayland, and zabbix), and Ubuntu (emacs24, firefox, linux-azure, linux-azure-5.15, linux-azure-fde, linux-oem-6.0, and xorg-server, xorg-server-hwe-18.04, xwayland).

Az Európai Bizottság kedden hozta nyilvánosságra a Brüsszel és Washington közötti transzatlanti adattovábbítással kapcsolatos megállapodás jóváhagyásáról szóló határozattervezetet, amelynek célja az amerikai kémkedéssel kapcsolatos aggályok eloszlatása.

The post Újabb lépéssel közelebb egy EU – USA közötti adattovábbítási megállapodáshoz first appeared on Nemzeti Kibervédelmi Intézet.

Ted Ts'o, in collaboration with the Linux Foundation Technical Advisory Board, has put together a document called the Linux kernel contribution maturity model to help companies improve their participation in the kernel development process.

The goal is to encourage, in a management-friendly way, companies to allow their engineers to contribute with the upstream Linux Kernel development community, so we can grow the "talent pipeline" for contributors to become respected leaders, and eventually kernel maintainers.

The 6.0.13, 5.15.83, 5.10.159, 5.4.227, 4.19.269, 4.14.302, and 4.9.336 stable kernel updates have all been released; each contains another set of important fixes.

A previous post in this series showed how you can use the --bootargs parameter and .boot files to supply kernel boot parameters to the kernels under test.  This works, but it turns out that there is another way, which is often the case with the Linux kernel.  This other way is Masami Hiramatsu's bootconfig facility, which is nicely documented in detail here.  This blog post is a how-to guide on making use of bootconfig when running rcutorture.

The bootconfig facility allows kernel boot parameters to be built into initrd or directly into the kernel itself, this last being the method used here.  This requires that the kernel build system be informed of the parameters.  Suppose that these parameters are placed in a file named /tmp/dump_tree.bootparam as follows:

kernel.rcutree.dump_tree=1
kernel.rcutree.blimit=15

Note well the "kernel." prefix, which is required here.  The other option is an "init." prefix, which would cause the parameter to instead be passed to the init process.

Then the following three Kconfig options inform the build system of this file:

CONFIG_BOOT_CONFIG=y
CONFIG_BOOT_CONFIG_EMBED=y
CONFIG_BOOT_CONFIG_EMBED_FILE="/tmp/dump_tree.bootparam"

The resulting kernel image will then contain the above pair of kernel boot parameters.  Except that you also have to tell the kernel to look for these parameters, which is done by passing in the "bootconfig" kernel boot parameter.  And no, it does not work to add a "kernel.bootconfig" line to the /tmp/dump_tree.bootparam file!  You can instead add it to a .boot file or to the kvm.sh command line like this: "--bootargs bootconfig".

For example, given this command:

tools/testing/selftests/rcutorture/bin/kvm.sh --allcpus --duration 30s --configs TREE05 \
   --bootargs "bootconfig" --trust-make

The resulting console.log file would contain the following text, indicating that these boot parameters had in fact been processed correctly, as indicated by the "Boot-time adjustment of callback invocation limit to 15." and the last three lines that begin with "rcu_node tree layout dump".

-----------
Running RCU self tests
rcu: Preemptible hierarchical RCU implementation.
rcu:     CONFIG_RCU_FANOUT set to non-default value of 6.
rcu:     RCU lockdep checking is enabled.
rcu:     Build-time adjustment of leaf fanout to 6.
rcu:     Boot-time adjustment of callback invocation limit to 15.
rcu:     RCU debug GP pre-init slowdown 3 jiffies.
rcu:     RCU debug GP init slowdown 3 jiffies.
rcu:     RCU debug GP cleanup slowdown 3 jiffies.
Trampoline variant of Tasks RCU enabled.
rcu: RCU calculated value of scheduler-enlistment delay is 100 jiffies.
rcu: rcu_node tree layout dump
rcu:  0:7 ^0
rcu:  0:3 ^0  4:7 ^1
-----------

What happens if you use both CONFIG_BOOT_CONFIG_EMBED_FILE and the --bootargs parameter?  The kernel boot parameters passed to --bootargs will be processed first, followed by those in /tmp/dump_tree.bootparam.  Please note that the semantics of repeated kernel-boot parameters is subsystem-specific, so please also be careful.

The requirement that the "bootconfig" parameter be specified on the normal kernel command line can be an issue in environments where the this command line is not easily modified.  One way of avoiding such issues is to create a Kconfig option that causes the kernel to act as if the "bootconfig" parameter had been specified.  For example, the following -rcu commit does just this with a new CONFIG_BOOT_CONFIG_FORCE Kconfig option:

674b57ddd75e ("bootconfig: Allow forcing unconditional bootconfig processing")

It is important to note that although these embedded kernel-boot parameters show up at the beginning of the "/proc/cmdline" file, they may also be found in isolation in the "/proc/bootconfig" file, for example, like this:

$ cat /proc/bootconfig
kernel.rcutree.dump_tree = 1
kernel.rcutree.blimit = 15

Why do the embedded kernel-boot parameters show up at the beginning of "/proc/cmdline" instead of at the end, given that they are processed after the other parameters?  Because of the possibility of a "--" in the non-embedded traditionally sourced kernel boot parameters, which would make it appear that the embedded kernel-boot parameters were intended for the init process rather than for the kernel.

But what is the point of all this?

Within the context of rcutorture, probably not much.  But there are environments where external means of setting per-kernel-version kernel-boot parameters is inconvenient, and rcutorture is an easy way of testing the embedding of those parameters directly into the kernel image itself.

The LWN.net Weekly Edition for December 15, 2022 is available.

A report from the syzbot kernel fuzz-testing robot does not usually spawn a vitriolic mailing-list thread, but that is just what happened recently. While the invective is regrettable, the underlying issue is important. The dispute revolves around how best to report bugs to affected subsystems and, ultimately, how not to waste maintainers' time.