Security vulnerability found in Rust Linux kernel code

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3e0ae02ba831da2b707905f4e602e43f8507b8cc

34•lelanthran•10h ago

Comments

pityJuke•9h ago

Within the Android drivers, right?

uhfraid•9h ago

yes

jeroenhd•9h ago

Technically, binder is still part of Linux, even if it's not enabled by default in many cases.

This "security vulnerability" is just a local DoS though. Annoying and problematic as it effectively bypasses controls over power on/off behaviour, but as far as I can tell from this report, no memory is leaked and no code execution can be achieved.

yourdetect•8h ago

It's UB, it is not memory safe, so in theory, and often also in practice with this specific kind of bug, absolutely anything could happen, including code execution.

Greg Kroah-Hartman's comment is both wrong and perplexing.

dizhn•9h ago

The URL this points to does not say anything about security. There's an example of a race condition causing memory corruption and a crash.

LukeShu•9h ago

While it doesn't add much more info: https://lore.kernel.org/linux-cve-announce/2025121614-CVE-20...

aw1621107•9h ago

Effectively a dupe of this thread from ~14 hours ago: https://news.ycombinator.com/item?id=46302621 (130 comments as of this comment)

thesz•8h ago

The mistake there is a classical example of why (software) transactional memory is valuable. Double linked lists are trivial in single core execution, need PhD level understanding of everything in multicore execution and become trivial again in multicore execution with (S)TM.

Rust has troubles with STM because it lacks anything resembling effect system. Most probably, this will not be fixed.

dlahoda•36m ago

may you share links to read or vote to understand better and push for?

arowthway•7h ago

I hate this bot-detection anime girl popping up on my monitor while I pretend to be working. Same goes for the funny pictures at the beginning of some Github readmes. Sorry for complaining about a tangential annoyance, but I haven't seen this particular sentiment expressed yet.

udjdndndjdjr•7h ago

I had an idea!

Instead of using this to do some proof of work, why not just get the bot detector to mine bitcoin or something...

I mean it is just as useless... And at least the website gets some money back from the raw extraction of data now happening...

Edit: speeeeeling

udjdndndjdjr•7h ago

Also this is a joke

dlahoda•33m ago

this was the plan, this was the plan. just wait little bit it get spread more.

sebtron•7h ago

Normally I don't mind, but on this page it took at least 15 seconds for me.

megnu•7h ago

I use a uBlock Origin filter to block the anime girl from loading:

  ! Title: Hide Anubis Image
  */.within.website/x/cmd/anubis/static/img/*.webp$image

jraph•6h ago

It is expressed very often.

jsiepkes•5h ago

I don't get why this is noteworthy? It's literally a piece of code in a Rust "unsafe" block. If you put something in an "unsafe" block the compiler isn't going to help you, you are on your own. That's why it's called "unsafe".

Now what is kinda interesting is that instead of getting rid of the "unsafe" block the developers put in some extra check. I guess you can take the developer out of C but you can't take the C out of the developer?

U.S. Military members to get $1,776 'warrior dividend'

Show HN: Free PDF tools that run in the browser

Ask HN: How do I bridge the gap between PhD and SWE experiences?

Show HN: ZAI Shell – Self-healing CLI agent that fixes command errors

Mystery Drones, Or Maybe UFOs, Over Sweetwater County Are 'The New Normal'

Conductor: Context-driven development for Gemini CLI

Chatbots inform young voters but don't change their vote choices

Making agentic government work: 7 principles for safer, smarter AI adoption

Toys with the highest play-time and lowest clean-up-time

There's no such thing as a fake feather [video]

Remove Black Color with Shaders

I figured out how to stop making engines and start making games [video]

Asahi Linux Progress Linux 6.18

The Year in Physics

The Open Evaluation Standard: Benchmarking Nvidia Nemotron 3 Nano

Military Standard on Software Control Levels

Don't Worry About College Majors

"Mother of All Demos" (1968)

Show HN: Turn your startup logo into a holiday Google doodle

Yann LeCun raising €500M at €3B valuation for new AI startup

Sadly, Fortnite will not return to iOS in Japan in 2025 as promised

Ask HN: How to fight back against Lovable, Replit, etc. in enterprise products

You can now verify Google AI-generated videos in the Gemini app

GitHub Actions Degraded

Agent Skills is now an open standard

Good if make prior after data instead of before

The View from Inside the AI Bubble

Ruby Weekly #780: What's New in Ruby 4.0

Show HN: A better interface for base model LLMs

Show HN: Peachka – Protecting Videos from Stealing