FreeBSD-SA-21:11.smap : SMAP bypass
Versions Affected : All versions prior to TrueNAS 12.0-U5
The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin() and copyout() are responsible for disabling SMAP around the sections of code that perform user memory accesses.
This bug may be used to bypass the protections provided by SMAP for the duration of a system call. It could thus be combined with other kernel bugs to craft an exploit.
No workaround is available. On hardware that does not implement SMAP, the bug is inconsequential as the mitigation does not exist in the first place.
- Upgrade to TrueNAS 12.0-U5 or later.
- FreeBSD Revision : r369863
- TrueNAS Commit : 31b6269
- TrueNAS Commit : 3ca0f2e
- TrueNAS Commit : 378e315
- JIRA Ticket : NAS-111053