If a random person tells me "hey, you might not want to walk down this street", I might not pay attention. If someone in tactical gear holding a sidearm tells me the same thing, I'm turning the fuck around.
Rachel is a semi-famous Linux sysadmin who has worked for big tech companies. Her blog is filled with industry horror stories from the trenches and meaty tech articles about low-level debugging. She is not known for vagueposting or shitposting, she gets paid to debug hard-to-find problems in stressful situations.
Even if Bruce Schneier had published this article, I would still criticise it. Because the information it contains is zero.
Assuming that it is a security problem, even if you do responsible disclosure, you could at least state whether the problem can only be exploited locally or also remotely.
This information alone would be generally important for me to decide whether to get nervous and actually uninstall the tool or whether I can sit back and relax in comparison.
The changes to the free() calls are certainly harmless. free(NULL) is already a no-op.
The similar change to munmap() is a bit more interesting, but (unless something's already gone quite badly wrong) there's nothing mapped at address 0 anyway, so you'd expect a harmless error return here.
If there's an issue, this commit doesn't seem like a promising place to look for it.
atop has weird privileges. It is most likely a severe security vulnerability and explaining why would perhaps give a blueprint to exploit it. Also, there is a time window between a fix being published, and it landing on critical systems. Attackers analyze security patches to find exploits.
This is a legitimate post from an authoritative source that isn't disclosing details for reasons of responsible disclosure, but this is Reddit, so it gets votebombed.
If that were the case I could understand it a bit. Still would not make me agree with the way this news was brought.
But no disclosure was made. She did not contact atop's developer. And she so far has not responded to questions from the developer.
He was notified by another person and has spent work and spare time to create a fix for the issue. Currently trying to figure out the best way to publish the fixed version while allowing downstream to update their packages asap.
Not sure why you were downvoted, it's true. Maybe because it was snarky? Anyhow, I am very curious to know more, I love atop, there are not many things that can do what it does (with the historic data, etc)
Look I get it. This post is vague as fuck, and I understand why y'all are downvoting the shit out of me. If you're just some random Linux user this sort of thing isn't going to keep you awake at night.
If however, you are responsible for the care and feeding of a fleet of Linux boxen and spending the next month having to mop up after getting pwned through atop doesn't sound like a good time to you, I'm just saying, you might want to satisfy your curiosity and see what your potential exposure to this is.
mopping up after getting pwned through atop doesn't sound like a fun way to spend the next month
I'm here to tell you to at least look into if atop is running on your babies.
These are the same group of knuckle dragging troglodytes who ejaculate a stream of upvotes every time a shiny new neofetch clone is posted, who don't know what the load average means, or what the run queue is. The same cretins who are all "hurr, htop, hurr" and who don't realize that atop is often a long running process with lots of privs that collects metrics on big-boy servers managed by people whose job it is to (among other things) ensure their corporate overlords don't get pwned.
Though honestly you could have posted an actual source explaining your concerns (like someone else here has) rather than a 2 sentence 'trust me bro' post that says nothing about why someone may (or may) not want to uninstall it.
But the person who posted the linked post is a very respected systems engineer, so it's worth listening to her and there are valid reasons/restrictions why she may not be able to get more specific.
Original post makes perfect sense (to me at least). It's from a solid SA source and right now they're probably under NDA. I'd take it as a word of warning before a 0 day hits you in the face, hard.
For those of you who don't know, Rachel is a very credible source, and if you've read her blog, you know she knows her shit. At a previous gig atop was used as a long-running resource debugging tool on thousands of machines, and if I remember correctly some packaged versions of this tool have it run out of cron as part of the package install.
This sub doesn't seem to be people with much real clue for this sort of stuff. It's full of people who don't understand the difference between top and atop.
We need to revive r/linuxadmin, or something. As much as Linux being more and more popular and egalitarian is, overall, a good thing, it has it's downsides.
It turns out that in this case, it's true that there's no actual known exploit, just the author hypothesizing that there may be a possible heap exploit.
I would like to know what to use instead. It is immensely useful in situations where programs don't log much and something gets oomed, for example. With atop I can replay the whole thing and see when what happened.
B1rdi@reddit
Sure would've been useful to know why
spudlyo@reddit (OP)
If a random person tells me "hey, you might not want to walk down this street", I might not pay attention. If someone in tactical gear holding a sidearm tells me the same thing, I'm turning the fuck around.
TheRealDarkArc@reddit
Okay? And that applies to this situation how?
TomDuhamel@reddit
Well I think OP was really clear. Just keep walking and ignore this post.
spudlyo@reddit (OP)
RemindMe! -7 day
Bananarang1@reddit
aged like fucking milk
spudlyo@reddit (OP)
swing and a miss!
throwaway6560192@reddit
Are you serious?
spudlyo@reddit (OP)
Rachel is a semi-famous Linux sysadmin who has worked for big tech companies. Her blog is filled with industry horror stories from the trenches and meaty tech articles about low-level debugging. She is not known for vagueposting or shitposting, she gets paid to debug hard-to-find problems in stressful situations.
FryBoyter@reddit
Even if Bruce Schneier had published this article, I would still criticise it. Because the information it contains is zero.
Assuming that it is a security problem, even if you do responsible disclosure, you could at least state whether the problem can only be exploited locally or also remotely.
This information alone would be generally important for me to decide whether to get nervous and actually uninstall the tool or whether I can sit back and relax in comparison.
death_in_the_ocean@reddit
Any. Fucking. Questions???
B1rdi@reddit
Yeah sure, just curious.
natermer@reddit
After about 15 seconds of clicking around atop bug tracker:
https://github.com/Atoptool/atop/commit/8d1799bff61461ef151aed6e05b05cacb6475648#commitcomment-154345184
I am not a C programmer, so I can't interpret exactly what is going on, but...
Glittering-Spite234@reddit
But nothing. It's a slight performance improvement and nothing else.
jausieng@reddit
The changes to the free() calls are certainly harmless. free(NULL) is already a no-op.
The similar change to munmap() is a bit more interesting, but (unless something's already gone quite badly wrong) there's nothing mapped at address 0 anyway, so you'd expect a harmless error return here.
If there's an issue, this commit doesn't seem like a promising place to look for it.
Alexander_Selkirk@reddit
atop has weird privileges. It is most likely a severe security vulnerability and explaining why would perhaps give a blueprint to exploit it. Also, there is a time window between a fix being published, and it landing on critical systems. Attackers analyze security patches to find exploits.
bonch@reddit
This is a legitimate post from an authoritative source that isn't disclosing details for reasons of responsible disclosure, but this is Reddit, so it gets votebombed.
fatexs@reddit
Dude all this vague bs and it's for a local denial of service CVE. No RCE?
This is like yelling bomb at an airport because somebody popped a balloon.
bonch@reddit
No, it isn't.
gabriel_3@reddit
Very poor content: "Don't use *top, I'll share why another time". Click bait?
throwaway6560192@reddit
Have you ever heard of responsible disclosure?
stejoo@reddit
If that were the case I could understand it a bit. Still would not make me agree with the way this news was brought.
But no disclosure was made. She did not contact atop's developer. And she so far has not responded to questions from the developer.
He was notified by another person and has spent work and spare time to create a fix for the issue. Currently trying to figure out the best way to publish the fixed version while allowing downstream to update their packages asap.
gleventhal@reddit
Not sure why you were downvoted, it's true. Maybe because it was snarky? Anyhow, I am very curious to know more, I love atop, there are not many things that can do what it does (with the historic data, etc)
phantagom@reddit
I am in close contact with the maintainer, fix is underway
LengthyLurker@reddit
Does anyone here use just regular top? Or am I the only one? Iām a beginner btw
spudlyo@reddit (OP)
You might be surprised at how badass regular top is. Weirdly enough, I made a video 14 years ago that shows off some of the more esoteric features.
Free_Crab_8181@reddit
I tend to prefer tools that are out of the box.
No-Author1580@reddit
htop FTW
DaveX64@reddit
I use btop.
mrtruthiness@reddit
I only run top when htop isn't available. These days htop is always available.
SoHiHello@reddit
I don't know if they have changed it recently but Rocky 9 didn't have it by default in the Google cloud optimized version. top but no htop
natermer@reddit
Regular top is fine.
The main reason to use things like Htop or Atop is if you want to impress somebody that walks by and looks at your computer monitor.
Schreq@reddit
If you want to impress noobs -> htop and the like
If you want to impress pros -> top
daddyd@reddit
depending on the machine, top, htop or btop.
FriedHoen2@reddit
me too
JockstrapCummies@reddit
Yeah I just regularly top and bottom. I suppose I'm vers.
DNSGeek@reddit
I mostly use regular top, sometimes htop when I'm feeling saucy.
mikechant@reddit
An Ubuntu CVE has been logged: https://ubuntu.com/security/CVE-2025-31160
spudlyo@reddit (OP)
Look I get it. This post is vague as fuck, and I understand why y'all are downvoting the shit out of me. If you're just some random Linux user this sort of thing isn't going to keep you awake at night.
If however, you are responsible for the care and feeding of a fleet of Linux boxen and spending the next month having to mop up after getting pwned through atop doesn't sound like a good time to you, I'm just saying, you might want to satisfy your curiosity and see what your potential exposure to this is.
mopping up after getting pwned through atop doesn't sound like a fun way to spend the next month
I'm here to tell you to at least look into if atop is running on your babies.
gordonmessmer@reddit
Yeah, that's social media...
YouTuber tries Linux: UPVOTES!!!!!
Actual engineer provides advice (without actually disclosing a flaw): meh. And even in /r/linux, celebrity rules over engineering.
Social media does not reward expertise. It is designed to dogpile.
Pay08@reddit
Fuck right off. Actual engineering is upvoted on this sub. This isn't engineering.
throwaway6560192@reddit
"Actual engineer provides advice" is what was said. Not "actual engineering".
gordonmessmer@reddit
That's not what I said. But misinterpreting or misrepresenting what people say is what I expect on social media.
Pay08@reddit
Then might I suggest going back to kindergarten and learning to use your words?
spudlyo@reddit (OP)
Just for you, here is some actual engineering related content from the same source on the same topic. It's a good read.
Pay08@reddit
Thanks.
spudlyo@reddit (OP)
These are the same group of knuckle dragging troglodytes who ejaculate a stream of upvotes every time a shiny new neofetch clone is posted, who don't know what the load average means, or what the run queue is. The same cretins who are all "hurr, htop, hurr" and who don't realize that atop is often a long running process with lots of privs that collects metrics on big-boy servers managed by people whose job it is to (among other things) ensure their corporate overlords don't get pwned.
DaveX64@reddit
I gave you an upvote, thanks for the heads up š
Damaniel2@reddit
Though honestly you could have posted an actual source explaining your concerns (like someone else here has) rather than a 2 sentence 'trust me bro' post that says nothing about why someone may (or may) not want to uninstall it.
gleventhal@reddit
But the person who posted the linked post is a very respected systems engineer, so it's worth listening to her and there are valid reasons/restrictions why she may not be able to get more specific.
lazystingray@reddit
Original post makes perfect sense (to me at least). It's from a solid SA source and right now they're probably under NDA. I'd take it as a word of warning before a 0 day hits you in the face, hard.
spudlyo@reddit (OP)
For those of you who don't know, Rachel is a very credible source, and if you've read her blog, you know she knows her shit. At a previous gig atop was used as a long-running resource debugging tool on thousands of machines, and if I remember correctly some packaged versions of this tool have it run out of cron as part of the package install.
tjharman@reddit
This sub doesn't seem to be people with much real clue for this sort of stuff. It's full of people who don't understand the difference between top and atop.
jaskij@reddit
We need to revive r/linuxadmin, or something. As much as Linux being more and more popular and egalitarian is, overall, a good thing, it has it's downsides.
MrBarnes1825@reddit
I say wut wut, in the top
EatMeerkats@reddit
Second post with slightly more details
It turns out that in this case, it's true that there's no actual known exploit, just the author hypothesizing that there may be a possible heap exploit.
spudlyo@reddit (OP)
Looks like probable local privilege escalation, which is worrisome, but not a all-hands on deck level event. I bet there is a CVE wthin 30 days.
Avoahcado@reddit
I would like to know what to use instead. It is immensely useful in situations where programs don't log much and something gets oomed, for example. With atop I can replay the whole thing and see when what happened.
throwaway6560192@reddit
Reading the comments here would make one really disappointed in the state of this forum.
Booty_Bumping@reddit
Situation is bad
LovelyWhether@reddit
https://news.ycombinator.com/item?id=43477057
spudlyo@reddit (OP)
Yeah, the blast radius of a potential supply chain compromise with this thing could be big, it runs as root and comes with a kernel module.
triemdedwiat@reddit
I guess when they exhaust all their other easy to use tools, they'll mod this.
alerikaisattera@reddit
"I have discovered a truly marvelous proof of this, which this margin is too narrow to contain."
thebadslime@reddit
good thing i use htop
Pretend_Fly_1319@reddit
Cool, now tell me what the point of posting this article was, because it tells us absolutely nothing.