[oi-dev] Fwd: [developer] SECURITY HEADS UP - illumos#14424
Aurélien Larcher
aurelien.larcher at gmail.com
Tue Jan 18 20:14:24 UTC 2022
Given that illumos-gate is rebuilt every night, this change will land in
Hipster by tomorrow; it was merged into illumos-gate 3 hours ago.
Nonetheless I am forwarding the information in case it affects anyone
subscribed to these mailing lists.
---------- Forwarded message ---------
From: Dan McDonald <danmcd at joyent.com>
Date: Tue, Jan 18, 2022 at 7:55 PM
Subject: [developer] SECURITY HEADS UP - illumos#14424
To: illumos-developer <developer at lists.illumos.org>, illumos-discuss <
discuss at lists.illumos.org>
Cc: Dan McDonald <danmcd at joyent.com>
Hello folks!
Quick breakdown:
IMPACT: This bug allows an unprivileged user with access to a tmpfs to
induce a denial of service to the system. This is more serious if untrusted
users have access to the system (e.g. a shared environment).
ACTION: Please be on the look out for patches from the various
distributions and be ready to install them.
MITIGATIONS: At this time, there are no known easy mitigations that one can
apply short of disabling access to untrusted users and/or removing the
ability to use tmpfs from their zones.
NEXT STEPS: As we follow up on this, we'll be doing some additional
auditing and looking to more generally strengthen our regression test
suites to be able to catch issues like this in advance and ensure that that
they are not reintroduced.
. . .
These details are also in https://www.illumos.org/issues/14424
Security researcher Hans Christian Woithe reported CVE-2021-43395 to
both us and Oracle. He discovered conditions where any arbitrary
user
could induce tmpfs to panic with deadlock-detection. This bug tracks
our fix for this problem.
Tested using Hans's PoC, which now does not induce a panic. Tested
on
OmniOS both bare-metal (by Andy Fiddaman) and VM (by Dan
McD.). Tested on SmartOS bare-metal (by Dan McD.).
We will introduce more analysis into the bug report as this fix gets
propagated.
If you run a distro PLEASE PUT THIS FIX IN ANY SUPPORTED RELEASE YOU HAVE.
It's easily backportable/cherry-pickable; I know OmniOS has it in their
old-LTS r151030, for example.
Thanks to Robert Mustacchi and Andy Fiddaman for feedback of earlier
revisions of this fix.
Thanks especially to security researcher Hans Christian Woithe, who informed
us and Oracle of this very old bug. I appreciate he took the advice here:
https://kebe.com/blog/?p=505
and I hope we reacted accordingly and politely (given we coordinated
releasing this fix with Oracle).
Please update your distros ASAP. And after some time, we'll update 14424
with details on how we arrived at the illumos fix.
Thank you,
Dan McDonald & Robert Mustacchi - on behalf of security at illumos.org
------------------------------------------
illumos: illumos-developer
Permalink:
https://illumos.topicbox.com/groups/developer/T1c9e4f27f8c2f959-M152e45495ece9b9555b52167
Delivery options: https://illumos.topicbox.com/groups/developer/subscription
--
---
Praise the Caffeine embeddings
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openindiana.org/pipermail/oi-dev/attachments/20220118/32af428d/attachment.html>
More information about the oi-dev
mailing list