Linux 5.10 finally ditches decades-old tool that caused security bugs

For years, set_fs() has been known to cause trouble - and now it's finally gone.

Google Project Zero accuses Linux of sloppy kernel patching

Linus Torvalds has kicked off yet another development cycle for the Linux kernel, announcing the release of 5.10-rc1, and this time with an historical twist. The new version of the kernel effectively marks the end of a decade-old feature that has long been made redundant after it was found to cause security bugs.

With the closing of the two-week-long merge window, which precedes the release of every new iteration of the Linux kernel, Torvalds shared his reflections on the Linux kernel mailing list, maintaining that "things seem to have gone fairly smoothly".

The merging window is a key part of any new kernel release process, during which up to 1,000 patches submitted by the developer community are merged every day into the mainline repository managed by Torvalds. A review process ensures that each patch implements a desirable change. 

SEE: Diversity and Inclusion policy (TechRepublic Premium)

This time around, Torvalds drew attention to the removal of an addressing tool, called set_fs(), which goes back to the original release of Linux. "The most interesting -- to me -- change here is Christoph's set_fs() removal," he wrote. "It's not a huge change, but it's interesting because the whole model of set_fs() to specify whether a userspace copy actually goes to user space or kernel space goes back to pretty much the original release of Linux."

As Torvalds explained, the set_fs() function could be used to override address spaces, by nullifying the split between user space and kernel space. The tool was widely used when managing Intel's early x86 processors, to control the range of virtual addresses that could be accessed by unprivileged code.

However, in 2010 the Common Vulnerabilities and Exposures (CVE) dictionary detailed the security issues posed by set_fs(). By bypassing certain access restrictions, the function was shown to be able to "overwrite arbitrary kernel memory locations" and "gain privileges" -- in some cases, to let user space overwrite kernel data.

Given the security shortcomings of the tool, some architectures including x86, powerpc, s390 and RISC-V have already removed address space overrides. But, as Torvalds wrote: "We still do have 'set_fs()' around, and not every architecture has been converted to the new world order."

On top of this long-overdue historical remediation, the 5.10-rc1 version, like most kernel releases, comes with innumerably more changes. Torvalds counted almost 14,000 commits by close to 1,700 people, with changes that range from support for Nvidia's SOCs for self-driving cars and robots to Nintendo Switch controller support.

SEE: Windows 10: This is what your new 'Meet Now' taskbar button does, explains Microsoft

Reports have counted around 704,000 lines of new code and 419,000 lines deleted, making 5.10-rc1 comparable in size to Linux's biggest kernel ever -- 5.8. "This looks to be a bigger release than I expected, and while the merge window is smaller than the one for 5.8 was, it's not a lot smaller," said Torvalds. "And 5.8 was our biggest release ever."

As per Linux's typical schedule, 5.10-rc1 will be followed by several weeks' worth of problem-fixing patches, with several candidate versions to be released before the stable kernel release expected in December.