Torvalds Creates Patch for Cross-Platform Virus 195
Newsforge is reporting that Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven that the virus does indeed not work with latest kernel version 2.6.16 and even released a patch in order to fix this "problem." From the article: "The reason that the virus is not propagating itself in the latest kernel versions is due to a bug in how GCC handles specific registers in a particular system call. [...] So the virus did a number of strange things to make this show up, but on the other hand the kernel does try to avoid touching user registers, even if we've never really _guaranteed_ that. So the 2.6.16 effect is a mis-feature, even if a _normal_ app would never care. It just happened to bite the infection logic of your virus thing."
Fix it? (Score:5, Informative)
Re:Does this mean... (Score:5, Informative)
Re:Does this mean... (Score:3, Informative)
Incorrect title (Score:5, Informative)
Of course, if the story had been submitted with the correct title of "Linus fixes bug in Linux", it probably would never have been posted.
Re:On the other hand... (Score:4, Informative)
Re:Incorrect title (Score:5, Informative)
Re:Incorrect title (Score:5, Informative)
Yes -- and it's quite possible that this bug was affecting other code, but with programs any more complicated than a virus, nobody debugged far enough to figure out that it was a kernel bug.
Re:mis-feature (Score:5, Informative)
So if a 'virus' is using standard OS features that legitimate applications also use, and suddenly the virus stops working, there's obviously been a change, and it breaks those legitimate applications.
In short, Torvalds didn't want to remove a feature without prior discussion.
Grammar Nazi Strikes! (Score:2, Informative)
What he patched was the Linux kernel. Thus, he created the patch for the kernel. You know this usage; however, it is not the only one. Your attempt at a correction was flawed.
Really now? (Score:2, Informative)
Re:Incorrect title (Score:2, Informative)
Re:Incorrect title (Score:3, Informative)
Re:Bug Virus? (Score:5, Informative)
The virus, written in assembly, calls the kernel via a depreciated interface (int 0x80 instead of syscall). It happens to have a value in the ebx register that it needs after the (buggy) system call.
The bug in the kernel is due to the fact that gcc assumes the system call doesn't change user registers (which the kernel isn't suppossed to as a policy) so gcc forms code to make the system call in less time (less instructions, less overhead) by not caring about user registers. The fix for the bug simply restores the value of the ebx register to what it was before the system call, hence the bug now works (as it has the correct value in the ebx register).
The virus itself uncovered what should be a bug! (Score:4, Informative)
Basically, if I'm reading this correctly, the virus' correct operation depended on system calls to the Linux kernel keeping values of registers unchanged, which is the correct behavior. 2.6.16 broke this behavior, but since very little other code actually assumes this as well, we didn't get serious lossage, but we *might* for other code, and were the virus rewritten to not assume that register values were preserved by system calls, it might also work properly. At any rate, this virus would still have far less teeth on GNU/Linux than it would on Windows, unless someone was stupid enough to execute it as root. And well, if you're actually foolish enough to do something like that on GNU/Linux, then you're probably also foolish enough to enter rm -rf / or something equivalent as root at some point.