On Tue, 2015-05-26 at 11:12 -0700, Trent Mick wrote: > # Highlights > > - Note that this build of SmartOS contains some particularly important > fixes > for issues that can induce kernel panics.
To add a bit of extra flavour for everyone, as to why upgrading to this release is a *REALLY REALLY* good idea, and why you should do it ASAP if you're using LX branded zones: One of the issues fixed herein is OS-4269, an incomplete bounds check in the LX brand getdents64 syscall handler for /proc. This bug turns out to allow any unprivileged user in an LX branded zone to seize control of a kernel thread. At this point they can escape the zone, become global zone root, and control the entire system (and this is not just an academic statement either). The broken bounds check allows an attacker to reliably cause the kernel to strcpy() from a NULL pointer into the kernel thread's stack frame, without any size checking (it turns into a no-op because it was in an ASSERT not a VERIFY). Currently illumos (and SmartOS) allows mmap at zero, builds the kernel without any stack canaries, and has no SMAP support, so this bug is trivially exploitable for privilege escalation. P.S. the SMEP support added in the release previous makes the exploit slightly harder to write (you might have to use some ROP! oh the humanity!), but it is still what most security researchers would refer to as "90s style baby stuff". SMEP is definitely a step in the right direction though. So, upgrading is a very good idea. I would highly recommend it. :) ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
