On 5/13/15 7:22 , Alex Wilson wrote: > On Wed, 2015-05-13 at 10:00 -0400, Dan McDonald wrote: >>> On May 13, 2015, at 8:37 AM, Joe Malcolm <[email protected]> wrote: >>> >>> Two questions on this Kvm/Xen/QEMU issue: >>> >>> 1) Does this also affect the kvm bits in SmartOS? >> >> Yes. I've a pull request in for the fix: >> >> https://github.com/joyent/illumos-kvm-cmd/pull/20
This has been merged. Thanks to Dan McDonald for preparing this. >>> 2) Are those kvm bits resident in the encapsulating container, or are >>> they associated with the boot image? I.e., is rebooting with a new >>> image, once those are available, sufficient, or do the zones need to >>> be rebuilt? >> >> If I understand correctly, this affects the qemu binary, which is part of >> the boot image (it's an executable that's part of the OS's global zone). > > Yes, it's loopback mounted from the gz. Rebooting onto a new system > image will replace it once a new build is available. > > One other thing to note is that the qemu process on SmartOS runs inside > a zone, so escaping the qemu just gets you root in a zone that has > basically nothing in it except the qemu binary and some config. > > You would need an additional kernel privesc vuln to escape that zone and > take control over the entire box. This is correct, the processes in there are running in a stripped privilege environment. It cannot fork. To help folks out who want a fixed QEMU, I have provided one that is suitable for use with all platforms built after January 15 2015. The QEMU binary is available at: https://us-east.manta.joyent.com/rmustacc/public/sec/CVE-2015-3456/qemu-system-x86_64 The SHA 256 signature is: 38089c8e23e59b624e092ced579dd8f5bc095618a944225b7b2d273796c35fdd A signature is available here, it has been signed with the 2014Q4 package signing keys. Use an instance of pkgsrc 2014Q4 to verify it: https://us-east.manta.joyent.com/rmustacc/public/sec/CVE-2015-3456/qemu-system-x86_64.asc To use this, download the QEMU binary to the global zone and place it into /var/tmp. From there you should run the following series of commands: 1) Verify that the platform you have is sufficient for this # pvs /usr/lib/libc.so | grep ILLUMOS_0.10 If that does not return anything, this instance of binary relief is not applicable. 2) Back up the old binary # cp /smartdc/bin/qemu-system-x86_64 /smartdc/bin/qemu-system-x86_64.bak 3) Install the new binary # rm /smartdc/bin/qemu-system-x86_64 # mv /var/tmp/qemu-system-x86_64 /smartdc/bin/qemu-system-x86_64 4) Restart all KVM instances The changes listed above will not take effect until. Please let me know if you have any questions. Thanks, Robert ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
