[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[TKADV2010-001] Oracle Solaris UCODE_GET_VERSION IOCTL Kernel NULL Pointer Dereference

Please find attached a detailed advisory of the vulnerability.

Alternatively, the advisory can also be found at:
Hash: SHA1

Advisory:               Oracle Solaris UCODE_GET_VERSION IOCTL Kernel NULL 
                        Pointer Dereference 
Advisory ID:            TKADV2010-001
Revision:               1.0       
Release Date:           2010/01/31
Last Modified:          2010/01/31
Date Reported:          2009/11/29
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      Solaris 10 with 127128-11 and w/o 143913-01 (x86)
                        OpenSolaris build snv_69 through snv_133 (x86)
Remotely Exploitable:   No
Locally Exploitable:    Yes 
Vendor URL:             http://www.oracle.com, http://www.sun.com/ 
Vendor Status:          Vendor has released an updated version
Patch development time: 61 days
CVE-ID:                 CVE-2010-0453

Vulnerability Details: 

The kernel of Oracle Solaris contains a vulnerability in the code that 
handles UCODE_GET_VERSION IOCTL requests. 

The vulnerability allows a local unprivileged user the ability to panic a 
Solaris x86 Intel-based system (32-bit/64-bit mode) due to a NULL pointer 
dereference. The ability to panic a system is a type of Denial of Service 

The issue can be triggered by sending a specially crafted IOCTL request to 
the kernel.

Technical Details:

The following source code references are based on the kernel source code 
available from http://www.opensolaris.org.


static int
ucode_ioctl(dev_t dev, int cmd, intptr_t arg, int mode, cred_t *cr, int 
   switch (cmd) {
     int size;
     uint32_t *revp, *rev_array;
     ucode_errno_t rc = EM_OK;

     STRUCT_DECL(ucode_get_rev_struct, h);
     STRUCT_INIT(h, mode);
 [1] if (ddi_copyin((void *)arg,
         STRUCT_BUF(h), STRUCT_SIZE(h), mode))
       return (EFAULT);

 [2] if ((size = STRUCT_FGET(h, ugv_size)) > NCPU)
       return (EINVAL);

     if ((rev_array = STRUCT_FGETP(h, ugv_rev)) == NULL)
       return (EINVAL);

     size *= sizeof (uint32_t);

 [3] revp = kmem_zalloc(size, KM_SLEEP);
     if (ddi_copyin((void *)rev_array, revp, size, mode) != 0) {
       kmem_free(revp, size);
       return (EINVAL);

 [4] rc = ucode_get_rev(revp);

[1] The struct 'h' is filled with user controlled IOCTL input data.
[2] The value of 'size' derives from user controlled data.
[3] If 'size' has a value of 0, kmem_zalloc() will return NULL. This 
    results in revp pointing to NULL. 
[4] 'revp' is used as a function parameter for ucode_get_rev().


 * Returns microcode revision from the machcpu structure.
ucode_get_rev(uint32_t *revp)
   int i;


   if (!ucode->capable(CPU))
     return (EM_NOTSUP);

   for (i = 0; i < max_ncpus; i++) {
     cpu_t *cpu;

     if ((cpu = cpu_get(i)) == NULL)

 [5] revp[i] = cpu->cpu_m.mcpu_ucode_info->cui_rev;

[5] This assignment leads to a NULL pointer dereference as 'revp == NULL'.


This issue is addressed in the following patch releases from Oracle/Sun:
x86 Platform
    - Solaris 10 with patch 143913-01 or later
    - OpenSolaris based upon builds snv_134 or later

Disclosure Timeline: 

  2009/11/29 - Initial vendor notification
  2009/11/30 - Oracle/Sun confirms the vulnerability
  2010/01/08 - Status update by Oracle/Sun
  2010/01/25 - Status update by Oracle/Sun
  2010/01/29 - Patch 143913-01 released for Solaris 10
  2010/01/31 - Release date of this security advisory


  Vulnerability found and advisory written by Tobias Klein.


[REF1] http://sunsolve.sun.com/search/document.do?assetkey=1-21-143913-01-1
[REF2] http://www.trapkit.de/advisories/TKADV2010-001.txt


  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release


The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.

PGP Signature Key: 


Copyright 2010 Tobias Klein. All rights reserved.

Version: PGP
Charset: utf-8