←back to thread

A Higgs-Bugson in the Linux Kernel

(blog.janestreet.com)
226 points Ne02ptzero | 4 comments | 02 Jul 25 18:34 UTC | HN request time: 0.001s | source
Show context
snvzz ◴[03 Jul 25 08:35 UTC] No.44452910[source]
With millions of LoCs, it is no surprise there are bugs.

Worse yet, the kernel runs in supervisor mode.

This kernel design is bankrupt. There's much better available, such as seL4+Genode.

replies(4): >>44453275 #>>44453449 #>>44454879 #>>44459008 #
eqvinox ◴[03 Jul 25 10:11 UTC] No.44453449[source]
Please try keeping your snide comments to issues they actually apply to. This is a logic bug, with the kernel missing a piece of abnormality handling. You can get the exact same bug in a microkernel (or, FWIW, a memory safe, e.g. Rust) implementation; neither of those concepts help here.
replies(1): >>44460018 #
1. snvzz ◴[03 Jul 25 23:38 UTC] No.44460018[source]
>You can get the exact same bug in a microkernel

Absolutely. And yet, it is that much easier to keep a tiny codebase bug-free.

And only that tiny codebase has to run with supervisor privileges.

replies(1): >>44460287 #
2. eqvinox ◴[04 Jul 25 00:41 UTC] No.44460287[source]
Of course a tiny microkernel code base won't have NFS bugs. It doesn't implement NFS. The bug will instead be in the NFS process/daemon/service/… which considering it's an fs service won't exactly be unprivileged either, even if only by returning maliciously corrupted contents. (e.g. a SUID root file that should not exist.)

And, sure, a microkernel could have better security properties. However, (1) this has no connection at all to this specific bug, and (2) the Linux kernel seems to be doing reasonably well on security properties; or rather the industry seems to have decided it's sufficiently secure, even if not perfect.

replies(1): >>44462665 #
3. snvzz ◴[04 Jul 25 09:04 UTC] No.44462665[source]
Not only is the damage contained, but it is also much easier to protect an isolated NFS server.

For instance, instead of being able to read/write/jump literally anywhere in memory, it would only have capabilities to the resources it needs.

And these capabilities would be enforced strictly, by the bug-free microkernel. The likes of seL4 even have formal proof of correctness.

replies(1): >>44463820 #
4. eqvinox ◴[04 Jul 25 12:09 UTC] No.44463820{3}[source]
And you are still making these arguments on the discussion of a bug that they have absolutely no bearing on. If Linux were written with the same exact development history, but as a microkernel, the exact same bug could (and likely would) exist in the NFS client component. The impact is spurious unavailability of service, and would be the same on a microkernel; it is not exploitable for memory corruption. And any file system service, by its function, will be in a position of relative privilege, even if less so on a microkernel.

Your arguments are likely valid, with other bugs. Please take them there. Wedging this discussion in here just makes you look like a proselytizing zealot.