Patch for illumos CERT Vulnerability ”A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker’s chosen RSP causing a privilege escalation. ”

From Robert Mustacchi: ”All, illumos is affected by this. We have landed a fix for this in illumos with hg changeset: 13724:7740792727e0 and issue id 2873. When returning from a system call we have a ‘fast’ path and a ‘slow’ path. Things that send us into the slow path are handling signals, etc. When returning in the slow path we always use the iret instruction which does not cause this issue.”

Joyent vendor statement to US-Cert:

“We have an illumos-derived system, SmartOS — it (and every other illumos derivative) was affected by this vulnerability. illumos issue:

Patch is in hg changeset: 13724:7740792727e0. This can also be found on the github bridge:

Joyent’s cloud customers are unaffected. Joyent’s SmartDataCenter customers will be receiving an updated platform, versioned joyent_20120614T001014Z.”

Leave a Reply