The British are to blame for this aren’t they

A glimpse into what a kernel engineer debugs for enterprise customers.

A bank is running a "security" solution that installs kprobes to intercept, among other things, calls to do_execveat_common(), and monitors all the arguments that could have been passed to execveat(). As do_execveat_common() can be triggered not only by userspace, but also by call_usermodehelper_exec(), a kprobe crafted with poor assumptions may result in an erroneous double dereference of what it thinks points to argv**, causing a General Protection Fault.

The kernel is not dumb however. If a GPF is triggered by a kprobe, it is handled gracefully, and nothing happens, and kprobe just returns a safe value. For a GPF to be triggered however, the CPU has to really try to read the wrong memory address first. The address is pretty random each time, meaning it can point to memory regions that are not mapped by kernel, but have some special meaning for a platform.

Enter the platform. It is configured by the hardware vendor in such a way that if an unaligned access to an MMIO region happens, an MCE is generated. And it is not some MCE for a correctable error, but an MCE indicating process context corruption, in other words, it's fatal. So, once it happens, the system dies with a kernel panic.

And this is exactly what the customer experienced. A socket() syscall caused modprobe to be invoked via call_usermodehelper_exec() → do_execveat_common() chain to load the ipv6 module. This triggered a kprobe that dereferenced wrong memory pointer twice provoking a GPF. The kernel began to gracefully handle the GPF, but the platform saw that the second dereference resulted in accessing the MMIO region, and this was an unaligned access, hence the platform threw MCE. And the system died.

It was fun to investigate this and to explain to the customer that three legitimate things in their system being hit together can trigger a crash.

And of course we joked we should have moved the whole case to the networking team, because it's always IPv6.

[RSS] Random BSODs on ASRock Z170 Extreme4: Fixed by Disabling CPU C-States

https://medium.com/@Debugger/random-bsods-on-asrock-z170-extreme4-fixed-by-disabling-cpu-c-states-9416d48a64e9?source=rss-3ba65b326b28------2

I recently had to deploy a change to #Debian Code Search to limit the amount of memory used during indexing a single package — because of #Firefox, which now ships as 388_859 files, totaling 1.78 GB! The resulting search index is 2.76 GB. Doing this entire indexing in one go is just too much for typical servers.

So now we flush into intermediate index files and merge them in the end: https://github.com/Debian/dcs/commit/8e76d5b9408cd12cfb6b728c1f1f3a96a9775310

The resulting drop in max heap usage is nicely visible on the graph by now :)

[RSS] Introducing rzweb: A Web-Based Binary Analyzer Using Rizin and WebAssembly - Open-Source and Browser-Only

https://github.com/indalok/rzweb

Really, no one?

[RSS] wtf is NS_ERROR_INVALID_CONTENT_ENCODING? investigating shared dictionaries and ChatGPT breakage in Firefox

https://joshua.hu/chatgpt-fail-loading-firefox

Tracing the ptrace

https://blogs.oracle.com/linux/tracing-the-ptrace

GLIBC-SA-2026-0001: Integer overflow in memalign leads to heap corruption (CVE-2026-0861)

https://www.openwall.com/lists/oss-security/2026/01/16/5

GLIBC-SA-2026-0002: getnetbyaddr and getnetbyaddr_r leak stack contents to DNS resovler (CVE-2026-0915)

https://www.openwall.com/lists/oss-security/2026/01/16/6

Read about CVE-2025-13154, a privilege escalation vulnerability in a Lenovo Vantage addin called SmartPerformance

https://cyllective.com/blog/posts/lenovo-vantage

Part of the reason of every service turning shit is that some technical writers assume that shit can only ever run on k8s...

https://worstofbreed.net/patterns/k8s-overkill/

#documentation

I laughed

"The best conversation I had was over forty million years ago," continued Marvin. ..."And that was with a coffee machine."

#HitchhikersGuide #DouglasAdams #quotes #quote #bot

https://github.com/curl/curl/pull/20312

There, now you know.

RE: https://mastodon.social/@fj/114024334222739130

Think of the folks at Palantir who built this.
https://www.404media.co/elite-the-palantir-app-ice-uses-to-find-neighborhoods-to-raid/

God bless people who do stuff like getting in touch with the US patent office and putting the source code for the 1998 furby on archive.org

https://archive.org/details/furby-source/mode/2up

I just got the weirdest e-mail:

It's a lab result for someone else. It has a PDF attachment, but I can see nothing malicious in it. The sender domain exists and does lab stuff. I looked up the person in the document and he seems to exist (in the US).

I'd say this must be a typo, but my e-mail address has only the first character (and probably the domain) matching with the persons name. I highly doubt his internet handle is a short keyboard distance from my Hungarian handle.

I have two theories:

a. This is a highly sophisticated scam (but I don't see the scam part yet)
b. Copilot hallucinated my e-mail address (which is actually pretty easy to scrape from the web)

Jerry did a nice write up on how to take on NTLM in your environment.

We've got some Very Fun updates coming out in the next little while on this front too.

https://techcommunity.microsoft.com/blog/CoreInfrastructureandSecurityBlog/active-directory-hardening-series---part-8-%E2%80%93-disabling-ntlm/4485782

Wikipedia turns 25 today! 🎂📚

To celebrate, we’re looking back at its baby pictures—some of the earliest captures of the site, preserved in the #WaybackMachine.

Take a nostalgic peek at early Wikipedia ⤵️

https://web.archive.org/web/20030301000000*/en.wikipedia.org

#WikipediaDay #Wikipedia25 @wikipedia