[kernal]

>Very nice right up on how unfinished and insecure Fuchsia is as a result of it being so unfinished.

Did you even read the write up? The only bug found was the ability to read the kernel log. Everything else was manufactured.

[binkHN]

You’re kidding right? Did you miss the parts about KASLR being broken and syscalls with TODOs for missing validations? And the CVEs created in relation to these?

[kernal]

I saw one CVE (CVE-2022-0882) for the innocuous kernel log bug. How many CVE's did you see? As for the KASLR, this was a known issue to the Fuchsia devs.

>This is a known-issue. KASLR support on the zircon kernel is just there so that it doesn't bit-rot. We are always picking up a static address instead of a dynamic one.

>Once physboot rollout is complete, that should make it easier to support kaslr.

[staticassertion]

KASLR is a pretty meh mitigation. But yeah, "todo" around capability checking probably should have been a higher priority fix.