ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

[$] Hibernation in the cloud

([Kernel] May 25, 2020 15:26 UTC (Mon) (corbet))

Hibernation is normally thought of as a laptop feature — and an old and obsolete laptop feature at that. One does not normally consider it to be relevant in cloud settings. But, at the 2020 [1]Power Management and Scheduling in the Linux Kernel summit (OSPM), Andrea Righi argued that there may actually be a place for hibernation on cloud-based systems if it can be made to work reliably.



[1] http://retis.sssup.it/ospm-summit/

[$] Imbalance detection and fairness in the CPU scheduler

([Kernel] May 22, 2020 19:26 UTC (Fri) (corbet))

The kernel's CPU scheduler is good at distributing tasks across a multiprocessor system, but does it do so fairly? If some tasks get a lot more CPU time than others, the result is likely to be unhappy users. Vincent Guittot ran a session at the 2020 [1]Power Management and Scheduling in the Linux Kernel summit (OSPM) looking into this issue, with a focus on detecting load imbalances between CPUs and what to do with a workload that cannot be balanced.



[1] http://retis.sssup.it/ospm-summit/

LWN.net Weekly Edition for May 28, 2020


GNOME resolves Rothschild patent suit

([Briefs] May 21, 2020 14:18 UTC (Thu) (corbet))

The patent suit [1]filed against the GNOME Foundation last September [2]has now been resolved . " In this walk-away settlement, GNOME receives a release and covenant not to be sued for any patent held by Rothschild Patent Imaging. Further, both Rothschild Patent Imaging and Leigh Rothschild are granting a release and covenant to any software that is released under an existing Open Source Initiative approved license (and subsequent versions thereof), including for the entire Rothschild portfolio of patents, to the extent such software forms a material part of the infringement allegation. " There is no mention of what the foundation had to give — if anything — for this settlement,



[1] https://lwn.net/Articles/800516/

[2] https://www.gnome.org/news/2020/05/patent-case-against-gnome-resolved/

Security updates for Thursday

([Security] May 21, 2020 14:12 UTC (Thu) (jake))

Security updates have been issued by Arch Linux (keycloak, qemu, and thunderbird), Debian (dovecot), Fedora (abcm2ps and oddjob), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, and kernel-rt), SUSE (ant, bind, and freetype2), and Ubuntu (bind9 and linux, linux-aws, linux-aws-5.3, linux-gcp, linux-gcp-5.3, linux-gke-5.3,linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-raspi2 ).

A review of open-source software supply chain attacks

([Security] May 21, 2020 14:13 UTC (Thu) (corbet))

Here's [1]a preprint paper from Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier looking at attacks on language-specific repositories. " Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle. This paper presents a dataset of 174 malicious software packages that were used in real-world attacks on open source software supply chains, and which were distributed via the popular package repositories npm, PyPI, and RubyGems. Those packages, dating from November 2015 to November 2019, were manually collected and analyzed. The paper also presents two general attack trees to provide a structured overview about techniques to inject malicious code into the dependency tree of downstream users, and to execute such code at different times and under different conditions. "



[1] https://arxiv.org/abs/2005.09535

Stable kernel updates

([Kernel] May 20, 2020 17:35 UTC (Wed) (ris))

Stable kernels [1]5.6.14 , [2]5.4.42 , [3]4.19.124 , [4]4.14.181 , [5]4.9.224 , and [6]4.4.224 have been released with important fixes. Users should upgrade.



[1] https://lwn.net/Articles/820972/

[2] https://lwn.net/Articles/820973/

[3] https://lwn.net/Articles/820974/

[4] https://lwn.net/Articles/820975/

[5] https://lwn.net/Articles/820976/

[6] https://lwn.net/Articles/820977/

A remote code execution vulnerability in qmail

([Security] May 20, 2020 16:43 UTC (Wed) (corbet))

Just in case anybody out there is still using qmail: a remote code execution vulnerability has just been disclosed. Its CVE number is CVE-2005-1513 because, as it turns out, the problem was reported 15 years ago but the fix was refused by the maintainer. " As a proof of concept, we developed a reliable, local and remote exploit against Debian's qmail package in its default configuration. This proof of concept requires 4GB of disk space and 8GB of memory, and allows an attacker to execute arbitrary shell commands as any user, except root (and a few system users who do not own their home directory). "

Security updates for Wednesday

([Security] May 20, 2020 14:24 UTC (Wed) (ris))

Security updates have been issued by Debian (bind9 and clamav), Fedora (kernel, moodle, and transmission), Oracle (kernel), Red Hat (ipmitool, kernel, ksh, and ruby), Slackware (bind and libexif), SUSE (dpdk, openconnect, python, and rpmlint), and Ubuntu (linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-riscv and linux-gke-5.0, linux-oem-osp1).

[$] The deadline scheduler and CPU idle states

([Kernel] May 22, 2020 13:42 UTC (Fri) (corbet))

As Rafael Wysocki conceded at the beginning of a session at the 2020 [1]Power Management and Scheduling in the Linux Kernel summit (OSPM), the combination of the [2]deadline scheduling class with CPU idle states might seem a little strange. Deadline scheduling is used in realtime settings, where introducing latency by idling the CPU tends to be frowned upon. But there are reasons to think that these two technologies might just be made to work together.



[1] http://retis.sssup.it/ospm-summit/

[2] https://lwn.net/Articles/743740/

NXNSAttack: upgrade resolvers to stop new kind of random subdomain attack

([Security] May 19, 2020 19:04 UTC (Tue) (jake))

CZ.NIC staff member Petr Špaček has a [1]blog post describing a newly disclosed DNS resolver vulnerability called [2]NXNSAttack . It allows attackers to abuse the delegation mechanism to create a denial-of-service condition via packet amplification. " This is so-called glueless delegation, i.e. a delegation which contains only names of authoritative DNS servers (a.iana-servers.net. and b.iana-servers.net.), but does not contain their IP addresses. Obviously DNS resolver cannot send a query to “name”, so the resolver first needs to obtain IPv4 or IPv6 address of authoritative server 'a.iana-servers.net.' or 'b.iana-servers.net.' and only then it can continue resolving the original query 'example.com. A'. This glueless delegation is the basic principle of the NXNSAttack: Attacker simply sends back delegation with fake (random) server names pointing to victim DNS domain, thus forcing the resolver to generate queries towards victim DNS servers (in a futile attempt to resolve fake authoritative server names). " At this time, Ubuntu has updated its BIND package to mitigate the problem; other distributions will no doubt follow soon. More details can also be found in the [3]paper [PDF] .



[1] https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/

[2] http://cyber-security-group.cs.tau.ac.il/

[3] http://cyber-security-group.cs.tau.ac.il/dns-ns-paper.pdf

[$] Saving frequency scaling in the data center

([Kernel] May 21, 2020 17:04 UTC (Thu) (corbet))

Frequency scaling — adjusting a CPU's operating frequency to save power when the workload demands are low — is common practice across systems supported by Linux. It is, however, viewed with some suspicion in data-center settings, where power consumption is less of a concern and there is a strong emphasis on getting the most performance out of the hardware. At the 2020 [1]Power Management and Scheduling in the Linux Kernel summit (OSPM), Giovanni Gherdovich worried that frequency scaling may be about to go extinct in data centers; he made a plea for improving its behavior for such workloads while there is still time.



[1] http://retis.sssup.it/ospm-summit/

[$] The pseudo cpuidle driver

([Kernel] May 21, 2020 14:19 UTC (Thu) (corbet))

The purpose of a cpuidle governor is to decide which idle state a CPU should go into when it has no useful work to do; the cpuidle driver then actually puts the CPU into that state. But, at the 2020 [1]Power Management and Scheduling in the Linux Kernel summit (OSPM), Abhishek Goel presented a new cpuidle driver that doesn't actually change the processor's power state at all. Such a driver will clearly save no power, but it can be quite useful as a tool for evaluating and debugging cpuidle policies.



[1] http://retis.sssup.it/ospm-summit/

Security updates for Tuesday

([Security] May 19, 2020 14:30 UTC (Tue) (ris))

Security updates have been issued by Debian (dpdk and exim4), Fedora (openconnect, perl-Mojolicious, and php), Red Hat (kernel and kpatch-patch), Slackware (sane), and Ubuntu (bind9, dpdk, exim4, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gke-4.15, linux-hwe, linux-oem, linux-oracle, linux-snapdragon, and linux, linux-aws, linux-lts-xenial, linux-raspi2, linux-snapdragon).

[$] Bao: a lightweight static partitioning hypervisor

([Kernel] May 20, 2020 14:30 UTC (Wed) (corbet))

Developers of safety-critical systems tend to avoid Linux kernels for a number of fairly obvious reasons; Linux simply was not developed with that sort of use case in mind. There are increasingly compelling reasons to use Linux in such systems, though, leading to a search for the best way to do so safely. At the 2020 [1]Power Management and Scheduling in the Linux Kernel summit (OSPM), José Martins described [2]Bao , a minimal hypervisor aimed at safety-critical deployments.



[1] http://retis.sssup.it/ospm-summit/

[2] https://github.com/bao-project/bao-hypervisor

[$] The state of the AWK

([Development] May 19, 2020 21:49 UTC (Tue) (benhoyt))

AWK is a text-processing language with a history spanning more than 40 years. It has a [1]POSIX standard , several conforming implementations, and is still surprisingly relevant in 2020 — both for simple text processing tasks and for wrangling "big data". The recent [2]release of GNU Awk 5.1 seems like a good reason to survey the AWK landscape, see what GNU Awk has been up to, and look at where AWK is being used these days.



[1] https://pubs.opengroup.org/onlinepubs/9699919799/utilities/awk.html

[2] https://lists.gnu.org/archive/html/info-gnu/2020-04/msg00007.html

[$] Evaluating vendor changes to the scheduler

([Kernel] May 19, 2020 16:59 UTC (Tue) (corbet))

The kernel's CPU scheduler does its best to make the right decisions for just about any workload; over the years, it has been extended to better handle mobile-device scheduling as well. But handset vendors still end up applying their own patches to the scheduler for the kernels they ship. Shipping out-of-tree code in this way leads to a certain amount of criticism from the kernel community but, as Vincent Donnefort pointed out in his session at the 2020 [1]Power Management and Scheduling in the Linux Kernel summit (OSPM), those patches are applied for a reason. He looked at a set of vendor scheduler patches to see why they are being used.



[1] http://retis.sssup.it/ospm-summit/

[$] Scheduler benchmarking with MMTests

([Kernel] May 19, 2020 12:28 UTC (Tue) (corbet))

The [1]MMTests benchmarking system is normally associated with its initial use case: testing memory-management changes. Increasingly, though, MMTests is not limited to memory management testing; at the 2020 [2]Power Management and Scheduling in the Linux Kernel summit (OSPM), Dario Faggioli talked about how he is using it to evaluate changes to the CPU scheduler, along with a discussion of the changes he had to make to get useful results for systems hosting virtualized guests.



[1] https://github.com/gormanm/mmtests

[2] http://retis.sssup.it/ospm-summit/

Security updates for Monday

([Security] May 18, 2020 14:49 UTC (Mon) (ris))

Security updates have been issued by Debian (apache-log4j1.2, exim4, libexif, and openconnect), Fedora (chromium, condor, java-1.8.0-openjdk, java-1.8.0-openjdk-aarch32, mingw-ilmbase, mingw-OpenEXR, sleuthkit, and squid), Mageia (jbig2dec, libreswan, netkit-telnet, ntp, and suricata), openSUSE (mailman and nextcloud), SUSE (autoyast2, file, git, gstreamer-plugins-base, libbsd, libvirt, libvpx, libxml2, mailman, and openexr), and Ubuntu (dovecot and json-c).

Kernel prepatch 5.7-rc6

([Kernel] May 18, 2020 12:11 UTC (Mon) (corbet))

Linus has [1]released the 5.7-rc6 kernel prepatch , which contains a bit more churn than he would like. " That said, there's nothing particularly scary in here, and it's not like this rc6 is outrageously big or out of control. I was just hoping for less. "



[1] https://lwn.net/Articles/820764/
More

Well, he thought, since neither Aristotelian Logic nor the disciplines
of Science seemed to offer much hope, it's time to go beyond them...
Drawing a few deep even breaths, he entered a mental state practiced
only by Masters of the Universal Way of Zen. In it his mind floated freely,
able to rummage at will among the bits and pieces of data he had absorbed,
undistracted by any outside disturbances. Logical structures no longer
inhibited him. Pre-conceptions, prejudices, ordinary human standards vanished.
All things, those previously trivial as well as those once thought important,
became absolutely equal by acquiring an absolute value, revealing relationships
not evident to ordinary vision. Like beads strung on a string of their own
meaning, each thing pointed to its own common ground of existence, shared by
all. Finally, each began to melt into each, staying itself while becoming
all others. And Mind no longer contemplated Problem, but became Problem,
destroying Subject-Object by becoming them.
Time passed, unheeded.
Eventually, there was a tentative stirring, then a decisive one, and
Nakamura arose, a smile on his face and the light of laughter in his eyes.
-- Wayfarer