this post was submitted on 17 Dec 2025
166 points (98.3% liked)

Technology

77090 readers
2514 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
166
Linux Kernel Rust Code Sees Its First CVE Vulnerability (www.phoronix.com)
submitted 1 day ago* (last edited 1 day ago) by hal_5700X@sh.itjust.works to c/technology@lemmy.world
46 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] john_t@piefed.ee 98 points 1 day ago (2 children)

No one said rust was invulnerable.

[–] pryre@lemmy.world 77 points 1 day ago (2 children)

I think the other takeaway here is that it was found in a section marked "unsafe". At the very least, that's a useful tool for the Devs to isolate potential problem areas. Comparing that to a pure C codebase where the problem could be anywhere.

[–] hummingbird@lemmy.world 1 points 3 hours ago (2 children)

The funny part is: the fix does not change the unsafe block at all. The issue is elsewhere in safe rust code.

[–] pryre@lemmy.world 1 points 3 hours ago

I'll admit, I haven't looked at the code. I would stand by my comment of the unsafe block being a start point.

Countering that however, what is the difference to just debugging effectively? Not sure. I suppose it's down to the people that identified it and fixed it at the end of the day to say if there was any benefit.

[–] KexPilot@lemmy.world 1 points 17 minutes ago* (last edited 16 minutes ago)

No. The issue is that an assumption they make in the unsafe block does not actually always hold true. They changed the safe rust code to strenghten the (incorrect) assumption they made in the first place, because that is way easier than rearchitecting the unsafe part. I.e. if the unsafe part was somehow to be written safely, the mitigation they introduced now would not result in any difference in behaviour, it would be correct behaviour both before and after.

Tldr: the problem lies in the unsafe part

[–] vrighter@discuss.tchncs.de -2 points 5 hours ago

doesn't change anything if you can't avoid having to write the unsafe parts

[–] BassTurd@lemmy.world 11 points 1 day ago (1 children)

Boone? There are plenty of fan boys out there that are selling rust like AI, or in other words snake oil.

Rust obviously has built in securities that C doesn't have, but a shitty coder is a shitty coder and bad QC is bad QC. Now we're seeing the reality of the consequences.

Rust and/or other memory safe(r) languages are like the future, but hopefully more people are now seeing the cracks. Just look at cloudflare for a prime example.

[–] pupbiru@aussie.zone 6 points 8 hours ago (1 children)

the cloudflare issues were configuration… they have nothing even remotely relayed to any of this

[–] PushButton@lemmy.world 0 points 6 hours ago (1 children)
[–] pupbiru@aussie.zone 7 points 5 hours ago

The software had a limit on the size of the feature file that was below its doubled size. That caused the software to fail.

this is not a rust problem… nor was the original problem of code writing entries to a file multiple times, and nor is the thing that made it worse: propagation of the poisoned file