Revisit of Deepin Desktop D-Bus Services after Removal from openSUSE (April 2026)

openSUSE 再次评估 Deepin 桌面组件，结果依然令人失望。虽然官方声称已修复，但审计发现 Backlight Helper 缺少 Polkit 认证，Accounts Service 更是漏洞百出：CreateGuestUser 存在竞态条件，SetHomeDir 可将家目录移至 /root，SetPassword 甚至泄露明文密码并存在 root 提权风险。openSUSE 表示 Deepin 安全文化堪忧，修复效率极低，建议用户谨慎使用，并已降低其审核优先级。

https://security.opensuse.org/2026/04/20/winter-spotlight.html#section-deepin

#aigc

这个问题的迷人之处在于，甚至 StackOverflow 都无法给出正确的回答：
https://stackoverflow.com/questions/47968861/does-python-logging-support-multiprocessing: 高赞回答全错
https://stackoverflow.com/questions/1154446/is-file-append-atomic-in-unix: 高赞回答全错

其中有个回答非常具有迷惑性，这个博客 (https://www.notthewizard.com/2014/06/17/are-files-appends-really-atomic/) 里用 bash 做了 O_APPEND 实验，方法是 20 个进程并行 echo "$line" >> /tmp/out.tmp ，由于 echo 默认会输出 \n，最后验证一下 /tmp/out.tmp 里是否有预期的行数和字节数（数据完整性）、每一行的字节数是否为预期值（单次 write 的原子性），最后发现在 Linux ext3 上 4096 是分水岭，4097 时会出现碎片，进程之间的 write 会穿插输出。我在 Linux 6.17 ext4 上可以复现。

上面这个实验得到的错误结论毒害了整个 SO 很多年，大量的回答都在复读 PIPE_BUF (4096) 这个数，然而 ta 的实验错在 bash echo 的行为很隐晦，如果 echo 的数据（含 \n suffix）大于 4096 并且输出 fd 是 regular file，echo 会拆成多个 buffer 调用多次 write，根本就没有测试到 write 的原子性。

# $ strace -e write -fTtt bash -c 'line=$(printf "%4096s" "" | tr " " A); echo "$line" >> /tmp/a'
16:36:20.792871 write(1, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 4096) = 4096 <0.000043>
16:36:20.792936 write(1, "\n", 1)       = 1 <0.000007>

真相是 O_APPEND 是具有多进程原子性的，在 https://elixir.bootlin.com/linux/v6.18.29/source/mm/filemap.c#L4406 的 generic_file_write_iter 里：

ssize_t generic_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
{
[...]
  inode_lock(inode);
  ret = generic_write_checks(iocb, from);
  if (ret > 0)
    ret = __generic_file_write_iter(iocb, from);
  inode_unlock(inode);
[...]
}

generic_write_checks() 会 if (iocb->ki_flags & IOCB_APPEND) iocb->ki_pos = ... 来推进 pos 指针，然后 __generic_file_write_iter() 写入数据，这两步都在 inode_lock(inode) semaphore 保护下，多进程安全。

此外，就算没有 O_APPEND，现代 Linux 也实现了相当程度的 write 原子性，在 man 2 write 里，最后一节 BUGS:

BUGS
According to POSIX.1-2008/SUSv4 Section XSI 2.9.7 ("Thread Interactions with Regular File Operations"):

All of the following functions shall be atomic with respect to each other in the effects specified in POSIX.1-2008 when they operate on regular files or symbolic links: ...

Among the APIs subsequently listed are write() and writev(2). And among the effects that should be atomic across threads (and processes) are updates of the file offset. However, before Linux 3.14,
this was not the case: if two processes that share an open file description (see open(2)) perform a write() (or writev(2)) at the same time, then the I/O operations were not atomic with respect to up‐
dating the file offset, with the result that the blocks of data output by the two processes might (incorrectly) overlap. This problem was fixed in Linux 3.14.

就是在说，如果两个进程的 fd 指向同一个 file description（如图），那它们共享同一个 file offset，自动拥有原子性和互斥性。

内核实现是在 https://elixir.bootlin.com/linux/v6.18.29/source/fs/file.c#L1200 的 file_needs_f_pos_lock 里，如果引用计数大于一，有多进程共享，会 mutex_lock(&file->f_pos_lock) 上锁

static inline bool file_needs_f_pos_lock(struct file *file)
{
  if (!(file->f_mode & FMODE_ATOMIC_POS))
    return false;
  if (__file_ref_read_raw(&file->f_ref) != FILE_REF_ONEREF)
    return true;
[...]
}

其中 FMODE_ATOMIC_POS 对于 regular file 是自动加上的，注释标明这是 SUSv4 的要求

  /* POSIX.1-2008/SUSv4 Section XSI 2.9.7 */
  if (S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode))
    f->f_mode |= FMODE_ATOMIC_POS;

不少著名服务其实依赖了这个行为，比如 nginx 的 worker log 都是从 master fork 继承过来的，那无需 O_APPEND 就能正确运行；Python 著名的 WSGI server gunicorn 也是这种 fork 继承 log fd 模式，曾经有人提问它怎么保证日志输出不会产生多进程 race，我也曾百思不得其解： https://github.com/benoitc/gunicorn/issues/1272

这是我九年前在北京日夜学习思考记录在 trello 的最后一个未解之谜，虽然多少有点焦虑 LLM 的强大，依然很高兴自己能在 AI 辅助下以前所未有地速度解决复杂问题。（这样就有更多时间摸鱼和玩游戏了😉）

(@refault_any 考古 2002 年 Linus 撕逼提到 O_APPEND 也很有趣： https://lore.kernel.org/all/[email protected]/

但其实第二高赞的回答是正确的

https://t.iss.one/theblockbeats/176703
还是 V12Sec，但是是区块链

@v12sec:
We originally reported this bug on April 28.
Our AI security tool autonomously found this weeks before the hack happened.
But embargo was broken when they accidentally made a public PR with the fix, before it was deployed to the validator set 🥴
https://x.com/v12sec/status/2055293473423810983/

H200还没到中国，Anthropic先急了：千亿美元抢芯片，转头涨价让开发者买单

Anthropic以中美AI竞争为由发布长文，呼吁进一步收紧芯片出口限制。

========
我已经5h没听到 a\和李彦宏小时候的故事了

原文赏析
https://m.huxiu.com/article/4858714.html

QEMUtiny is a memory corruption vulnerability in QEMU's implementation of CXL (Compute Express Link) Type-3 (Memory Device) device emulation.

1. OOB read: cmd_logs_get_log() treats the CEL log offset as an array index in the memmove() source expression even though the CXL mailbox offset is in bytes.
2. OOB write: cmd_features_set_feature() accepts byte offsets into several small feature write-attribute structures without checking that offset + bytes_to_copy stays inside the selected structure.

poc.c is a working exploit that drives the emulated CXL mailbox from the guest through the device BAR. It depends on offsets for the specific QEMU build and host libc layout. The exploit can be weaponized to work reliably across many QEMU versions using the OOB read to scan memory. However this is out of scope for this PoC.

https://github.com/v12-security/pocs/tree/main/qemu

assigned CVE-2026-46333
Debian trixie 6.12.88-1
Debian bookworm 6.1.172-1

fragnesia-5db89c99566fc
This is a variant of our Fragnesia bug (CVE-2026-46300) that bypasses the merged fix (commit f84eca581739) by exploiting a separate path that remains unpatched in both mainline and the netdev net tree as of 2026-05-15 18:00 UTC.

The bug is in skb_segment() in net/core/skbuff.c. When building GSO segments from an skb that has a frag_list, the function propagates SKBFL_SHARED_FRAG only from the head skb. If a frag_list member carries page-cache-backed frags with the flag set but the head does not, the resulting segment skbs lose the marker. This lets them pass the skip_cow guard in esp_input() and get decrypted in place over page-cache pages, same primitive as the original Dirty Frag and Fragnesia exploits.

Triggering it requires three network namespaces connected by veth pairs. The sender does a normal send() followed by splice() on the same TCP connection. GRO on the forwarding hop coalesces the two into a single skb where the send() segment becomes the head (no flag) and the splice() segment goes into the frag_list (flag set). The forwarder has GSO disabled on its egress veth, so skb_segment() fires and strips the flag. The segments then reach an espintcp receiver that decrypts in place. The GRO coalescing step requires both segments to arrive in the same NAPI poll cycle, which is reliable with back-to-back sends but not fully deterministic, so the exploit retries on failure. The rest of the exploitation is identical to Fragnesia: AES-GCM keystream control gives a deterministic one-byte page-cache write per trigger, and the exploit iterates over a small ELF payload to overwrite a SUID binary.

We have reported this to the relevant parties. There is a pending patch (not currently accepted or merged) on the netdev list that would incidentally help prevent this by propagating the flag earlier in the GRO path, though it was not written to address this bug specifically, and no patch currently proposed fixes the root cause in skb_segment() itself.

https://github.com/v12-security/pocs/tree/main/fragnesia-5db89c99566fc

Pull documentation fixes from Jonathan Corbet:
"This is Willy Tarreau's new document clarifying the definition and
handling of security-related bugs, which we're trying to get out there
quickly on the theory that some of the bug reporters might actually
read and pay attention to it"

* tag 'docs-7.1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/docs/linux:
docs: threat-model: don't limit root capabilities to CAP_SYS_ADMIN
docs: security-bugs: add a link to the threat-model documentation
Documentation: security-bugs: clarify requirements for AI-assisted reports
Documentation: security-bugs: explain what is and is not a security bug
Documentation: security-bugs: do not systematically Cc the security team

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=36d49bba19f2c19c933d13b25dcf4eb607a030b3