≡ Menu

architectures

FreeBSD 7.2RC Released

The second of two planned Release Candidates for the FreeBSD 7.2-RELEASE cycle is now available. ISO images for Tier-1 architectures are now available on most of the FreeBSD mirror sites.

The freebsd-update(8) utility supports binary upgrades of i386 and amd64
systems running earlier FreeBSD releases. Systems running 7.0-RELEASE,
7.1-RELEASE, 7.2-BETA1, or 7.2-RC1 can upgrade as follows:

# freebsd-update upgrade -r 7.2-RC2

During this process, FreeBSD Update may ask the user to help by merging
some configuration files or by confirming that the automatically performed
merging was done correctly.

# freebsd-update install

The system must be rebooted with the newly installed kernel before continuing.
# shutdown -r now

After rebooting, freebsd-update needs to be run again to install the new
userland components, and the system needs to be rebooted again:

# freebsd-update install
# shutdown -r now

Debian GNU/Linux 4.0 Update 6 Released

Didn't take long to release new updated version.

The Debian project is pleased to announce the sixth update of its stable distribution Debian GNU/Linux 4.0 (codename "etch"). This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems. This update has been rated as having important security impact. You are advised to upgrade system ASAP.
[click to continue…]

How To Patch Running Linux Kernel Source Tree

Yesterday, I wrote about a serious Linux kernel bug and fix. However, few readers like to know about patching running Linux kernel. Patching production kernel is a risky business. Following procedure will help you to fix the problem.

Step # 1: Make sure your product is affected

First find out if your product is affected by reported exploit. For example, vmsplice() but only affects RHEL 5.x but RHEL 4.x,3.x, and 2.1.x are not affected at all. You can always obtain this information by visiting vendors bug reporting system called bugzilla. Also make sure bug affects your architectures. For example, a bug may only affect 64 bit or 32 bit platform.

Step # 2: Apply patch

You better apply and test patch in a test environment. Please note that some vendors such as Redhat and Suse modifies or backports kernel. So it is good idea to apply patch to their kernel source code tree. Otherwise you can always grab and apply patch to latest kernel version.

Step # 3: How do I apply kernel patch?

WARNING! These instructions require having the skills of a sysadmin. Personally, I avoid recompiling any kernel unless absolutely necessary. Most our production boxes (over 1400+) are powered by mix of RHEL 4 and 5. Wrong kernel option can disable hardware or may not boot system at all. If you don't understand the internal kernel dependencies don't try this on a production box.

Change directory to your kernel source code:
# cd linux-2.6.xx.yy
Download and save patch file as fix.vmsplice.exploit.patch:
# cat fix.vmsplice.exploit.patch
Output:

--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
                if (unlikely(!len))
                        break;
                error = -EFAULT;
-               if (unlikely(!base))
+               if (!access_ok(VERIFY_READ, base, len))
                        break;
                /*

Now apply patch using patch command, enter:
# patch < fix.vmsplice.exploit.patch -p1
Now recompile and install Linux kernel.

I hope this quick and dirty guide will save someones time. On a related note Erek has unofficial patched RPMs for CentOS / RHEL distros.