Post Syndicated from corbet original https://lwn.net/Articles/940152/

Google’s Project Zero has spent some time studying the Arm memory tagging
extension (MTE), support for which was
merged into the 5.10 kernel, and posted
the results:

Despite its limitations, MTE is still by far the most promising
path forward for improving C/C++ software security in 2023. The
ability of MTE to detect memory corruption exploitation at the
first dangerous access provides a significant improvement in
diagnostic and potential security effectiveness.

There is a
separate section on weaknesses in the current kernel implementation of
MTE support.

Post Syndicated from corbet original https://lwn.net/Articles/940144/

The Asahi Linux project, which is
working to create a Linux distribution for Apple hardware, has announced
that its new “flagship” distribution will be based on Fedora Linux.

Working directly with upstream means not only can we integrate more
closely with the core distribution, but we can also get issues in
other packages fixed quickly and smoothly. This is particularly
important for platforms like desktop ARM64, where we still run into
random app and package bugs quite often. ARM64 desktop Linux has
been a niche platform (until now!), and with much less testing
comes a higher propensity for bugs, so it’s very important that we
can address these issues quickly. Fedora already has a very solid,
fully supported ARM64 port with a large userbase in the
server/headless segment, so it is an excellent base to build upon
and help improve the state of desktop Linux on ARM64 for everyone.

There is a version for “adventurous users” to play with now, with an
official release expected by the end of the month.

Post Syndicated from corbet original https://lwn.net/Articles/940103/

Security updates have been issued by Debian (bouncycastle), Fedora (firefox), Red Hat (cjose, curl, iperf3, kernel, kernel-rt, kpatch-patch, libeconf, libxml2, mod_auth_openidc:2.3, openssh, and python-requests), SUSE (firefox, jtidy, libredwg, openssl, salt, SUSE Manager Client Tools, and SUSE Manager Salt Bundle), and Ubuntu (firefox).

Post Syndicated from corbet original https://lwn.net/Articles/939922/

Here is a
long reminiscence from Jon “maddog” Hall leading up to some thoughts on
Red Hat’s source-release policy changes.

Recently I have been seeing some cracks in the dike. As more and
more users of FOSS come on board, they put more and more demands on
developers whose numbers are not growing sufficiently fast enough
to keep all the software working.

I hear from FOSS developers that too few, and sometimes no,
developers are working on blocks of code. Of course this can also
happen to closed-source code, but this shortness hits mostly in
areas that are not considered “sexy”, such as quality assurance,
release engineering, documentation and translations.

Post Syndicated from corbet original https://lwn.net/Articles/939919/

Version 2.38 of
the GNU C Library has been released. This release consists mostly of
relatively small changes, including improved support for working with
binary integer constants, some new printf() formatting options,
libmvec support for 64-bit Arm systems, the strlcpy() and
strlcat() string functions, and more. See the release notes
for the details.

Post Syndicated from corbet original https://lwn.net/Articles/939917/

Security updates have been issued by Debian (tiff), Fedora (curl), Red Hat (bind, ghostscript, iperf3, java-1.8.0-ibm, nodejs, nodejs:18, openssh, postgresql:15, and samba), Scientific Linux (iperf3), Slackware (mozilla and seamonkey), SUSE (compat-openssl098, gnuplot, guava, openssl-1_0_0, pipewire, python-requests, qemu, samba, and xmltooling), and Ubuntu (librsvg, openjdk-8, openjdk-lts, openjdk-17, openssh, rabbitmq-server, and webkit2gtk).

Post Syndicated from corbet original https://lwn.net/Articles/939808/

Version 29.1 of the Emacs editor has been released. There is a long list
of changes, including integration with the Tree-sitter
incremental parsing library, the ability to access SQLite databases,
“pure GTK” display support (which enables Wayland support), and a lot more; see the
NEWS file for all the details.

Post Syndicated from corbet original https://lwn.net/Articles/939807/

Version 3.2 of the GNU COBOL compiler is out. “The amount of features
are too much to note, but you can skip over the attached NEWS file to
investigate them.” These new features include improved support for
COBOL dialects, performance improvements, better GDB debugging support, and
more.

Post Syndicated from corbet original https://lwn.net/Articles/939389/

It is well understood that concurrency makes programming problems harder;
the high level of concurrency inherent in kernel development is one of the
reasons why kernel work can be challenging. Things can get even worse,
though, if concurrent access happens in places where the code is not
expecting it. The long story accompanying this
short patch from Christian Brauner is illustrative of the kind of
problem that can arise when assumptions about concurrency prove to be
incorrect.

Post Syndicated from corbet original https://lwn.net/Articles/939685/

The 6.5-rc4 kernel prepatch is out for
testing.

So here we are, and the 6.5 release cycle continues to look
entirely normal.

In fact, it’s *so* normal that we have hit on a very particular
(and peculiar) pattern with the rc4 releases: we have had *exactly*
328 non-merge commits in rc4 in 6.2, 6.3 and now 6.5. Weird
coincidence.

And honestly, that weird numerological coincidence is just about
the most interesting thing here.

Post Syndicated from corbet original https://lwn.net/Articles/939568/

The Python Steering Council has announced
its intent to accept PEP
703 (Making the Global Interpreter Lock Optional in CPython), with
initial support possibly showing up in the 3.13 release. There are still
some details to work out, though.

We want to be very careful with backward compatibility. We do not
want another Python 3 situation, so any changes in third-party code
needed to accommodate no-GIL builds should just work in with-GIL
builds (although backward compatibility with older Python versions
will still need to be addressed). This is not Python 4. We are
still considering the requirements we want to place on ABI
compatibility and other details for the two builds and the effect
on backward compatibility.

Post Syndicated from corbet original https://lwn.net/Articles/939542/

For those who are interested in the gory details of how the StackRot vulnerability works, Ruihan Li has
posted a detailed
writeup of the bug and how it can be exploited.

As StackRot is a Linux kernel vulnerability found in the memory
management subsystem, it affects almost all kernel configurations
and requires minimal capabilities to trigger. However, it should be
noted that maple nodes are freed using RCU callbacks, delaying the
actual memory deallocation until after the RCU grace
period. Consequently, exploiting this vulnerability is considered
challenging.

To the best of my knowledge, there are currently no publicly
available exploits targeting use-after-free-by-RCU (UAFBR)
bugs. This marks the first instance where UAFBR bugs have been
proven to be exploitable, even without the presence of
CONFIG_PREEMPT or CONFIG_SLAB_MERGE_DEFAULT settings.

Post Syndicated from corbet original https://lwn.net/Articles/939097/

One of the longstanding strengths of Linux, and a key to its early success,
is its ability to interoperate with other systems. That interoperability
includes filesystems; Linux supports a wide range of filesystem types,
allowing it to mount filesystems created by many other operating systems.
Some of those filesystem implementations, though, are better maintained
than others; developers at both the kernel and distribution levels are
currently considering, again, how to minimize the security risks presented
by the others.

Post Syndicated from corbet original https://lwn.net/Articles/939511/

Systemd 254 has been released. As usual, there is a long list of changes,
including a new list-paths command for systemctl, the
ability to send POSIX signals to services, a “soft reboot” feature that
restarts user space while leaving the kernel in place, improved support for
“confidential
virtual machines“, and a lot more.

The announcement also notes the support for split-/usr systems
will be removed in the next release, and support for version-one control
groups and for System V service scripts will be deleted in the near
future as well.

Post Syndicated from corbet original https://lwn.net/Articles/939217/

The fchmodat()
system call on Linux hides a little secret: it does not actually implement
all of the functionality that the man page claims (and that POSIX
calls for). As a result, C libraries have to do a bit of a complicated
workaround to provide the API that applications expect. That situation
looks likely to change with the 6.6 kernel, though, as the result of this patch
series posted by Alexey Gladkov.