# Dirty Cow vulnerability and Difference in Kernel Development



## enjinn (Oct 25, 2016)

Being new to FreeBSD and more familiar with Linux I was wondering if the Dirty Cow vulnerability was possibly an example of the difference in development between the two OS communities.

From what I have read Linus was aware of this vulnerability and patched it ~11 years ago. Then another commit removed or broke the fix until now since 2007.
Dirty Cow

Even as a Linux fan and new to FreeBSD one has to wonder how does such a known vulnerability re-enter the code base for 9 years. The more that comes out about this vulnerability the more I want to learn about FreeBSD and consider migrating my services to it.


----------



## SirDice (Oct 25, 2016)

Nine years is nothing.

https://slashdot.org/story/08/05/11/1339228/the-25-year-old-bsd-bug
http://cvsweb.openbsd.org/cgi-bin/c....c?rev=1.18&content-type=text/x-cvsweb-markup


----------



## kpa (Oct 25, 2016)

I wouldn't say so, FreeBSD is equally suspect to similar errors and vulnerabilities because there are far fewer developers working on the critical parts of the kernel compared to Linux. There is always a danger of overlooking something because it's a human working on the code after all and humans tend to make a lot of mistakes all the time. What FreeBSD really could use is more pairs of eyes reviewing the code written by the developers working on those critical sections of the kernel.


----------



## drhowarddrfine (Oct 25, 2016)

That Linux overlooked it with far more developers and more human eyes may say something, too.


----------



## SirDice (Oct 25, 2016)

The problem I see with the "many eyes principle" is the same as with an assault or rape in broad daylight. Everybody that sees it thinks (or hopes) someone else will react. So in the end nobody does.

https://en.wikipedia.org/wiki/Bystander_effect

The same can be said for open source projects. Everybody can read the code but very few people actually do. And even fewer will submit bug reports or offer solutions.


----------



## enjinn (Oct 25, 2016)

SirDice said:


> Nine years is nothing.
> 
> https://slashdot.org/story/08/05/11/1339228/the-25-year-old-bsd-bug
> http://cvsweb.openbsd.org/cgi-bin/c....c?rev=1.18&content-type=text/x-cvsweb-markup



Interesting. What kind of concerned me though with the Dirty Cow exploit was that it was patched and then ~2 years later was broken with a new commit. What's not clear is if they knew it was re-broken but ignored.


----------



## SirDice (Oct 25, 2016)

enjinn said:


> What's not clear is if they knew it was re-broken but ignored.


They probably didn't know about it. A lot of times the actual bug is only triggered when some obscure flag is passed or there's an interaction with something completely unrelated. If you don't specifically test for those situations you're probably not going to find it.


----------



## _martin (Oct 25, 2016)

I fully agree with what kpa has said. And speaking of it, here ya go: https://www.freebsd.org/security/advisories/FreeBSD-SA-16:32.bhyve.asc

Sometimes bugs just happen.


----------



## ANOKNUSA (Oct 26, 2016)

kpa said:


> There is always a danger of overlooking something because it's a human working on the code after all and humans tend to make a lot of mistakes all the time.



To paraphrase Neal Stephenson: what's remarkable about open-source software is not that it has flaws. What's remarkable about it is that the people who write and promote it openly admit that it has flaws.


----------



## enjinn (Oct 26, 2016)

ANOKNUSA said:


> To paraphrase Neal Stephenson: what's remarkable about open-source software is not that it has flaws. What's remarkable about it is that the people who write and promote it openly admit that it has flaws.



True and I have the greatest respect for developers and Sunlight is always the greatest Disinfectant. Maybe we are nearing a point where application developers must honestly assume any application they build will be hosted on a compromised host and that possibly hosts are compromised as a defacto standard in some cases. Possibly a paranoid view but given the past two years of breaches maybe the reality of the future. And breaches aside, a user like me looks at heartbleed, shellshock, dirty cow, etc and wonders. Maybe the days of application developers trusting the host or kernel needs to end and maybe movement needs to continue of developing applications that protect themselves from the kernel. Again as a user and not a developer I have no idea of the true complexity involved, I support the community in the ways I can via purchases, deployment, donations, trying to learn, advocating positive experiences, etc.


----------

