[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sun] Zwei Denial of Service Schwachstellen im Sun Solaris Kernel - 103064
-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5
Liebe Kolleginnen und Kollegen,
soeben erreichte uns das nachfolgende Bulletin des SUN Customer Warning
System. Wir geben diese Informationen unveraendert an Sie weiter.
6351793 / 6358047 - Denial of Service Schwachstelle im Sun Solaris
Kernel
Der Betriebssystemkernel von Sun Solaris enthaelt zwei bisher nicht
naeher beschriebene Denial of Service Schwachstellen im System zur
Generierung von Kernel Statistiken. Ein lokaler Angreifer kann mit
Hilfe dieser Schwachstellen das System zum Absturz bringen und eine
"recursive mutex_enter" beziehungsweise "deadlock" Kernel-Panic
ausloesen.
Betroffen sind die folgenden Software Pakete und Plattformen:
Solaris Kernel
SPARC Plattform:
* Solaris 8 ohne Patch 117350-50
* Solaris 9 ohne Patch 122300-13
* Solaris 10 ohne Patch 127111-01
x86 Plattform:
* Solaris 8 ohne Patch 117351-50
* Solaris 9 ohne Patch 122301-13
* Solaris 10 ohne Patch 127112-01
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103064-1
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Andreas Bunten, DFN-CERT
- --
Andreas Bunten (CSIRT), +49 40 808077-555
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Heidenkampsweg 41, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Sun(sm) Alert Notification
* Sun Alert ID: 103064
* Synopsis: Security Vulnerabilities in Solaris Kernel Statistics
Retrieval Process May Allow a Denial of Service (DoS)
* Category: Security
* Product: Solaris 9 Operating System, Solaris 10 Operating System,
Solaris 8 Operating System
* BugIDs: 6351793, 6358047
* Avoidance: Patch
* State: Resolved
* Date Released: 18-Oct-2007
* Date Closed: 18-Oct-2007
* Date Modified:
1. Impact
Security vulnerabilities in the implementation of the retrieval of Kernel
statistics may allow a local unprivileged user to panic the system, causing
a Denial of Service (DoS) condition.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform:
* Solaris 8 without patch 117350-50
* Solaris 9 without patch 122300-13
* Solaris 10 without patch 127111-01
x86 Platform:
* Solaris 8 without patch 117351-50
* Solaris 9 without patch 122301-13
* Solaris 10 without patch 127112-01
3. Symptoms
Two different types of panic can result:
A) A 'recursive mutex_enter' panic
To identify this panic scenario, run the following two commands on the
crashdump and review the resultant output:
# echo "::status" | mdb -k unix.0 vmcore.0 | grep "panic message"
panic message: recursive mutex_enter, lp=<> owner=<> thread=<>
# echo "*panic_thread::findstack" | mdb -k unix.0 vmcore.0
stack pointer for thread 30016e77a00: 2a100ce7ee1
000002a100ce7f91 mutex_vector_enter+0x334()
000002a100ce8051 sfmmu_mlspl_enter+0x2c0()
000002a100ce8101 hat_page_getshare+4()
000002a100ce81b1 page_create_va+0x564()
000002a100ce8301 segkmem_page_create+0x78()
000002a100ce8401 segkmem_xalloc+0xd0()
000002a100ce84c1 segkmem_alloc+0x9c()
000002a100ce8581 vmem_xalloc+0x6d4()
000002a100ce8701 vmem_alloc+0x238()
000002a100ce87c1 kmem_slab_create+0x44()
000002a100ce8891 kmem_slab_alloc+0x60()
000002a100ce8941 kmem_cache_alloc+0x148()
000002a100ce89f1 kmem_zalloc+0x28()
000002a100ce8aa1 hrm_init+0x20()
000002a100ce8b51 hat_setstat+0x64()
000002a100ce8c01 sfmmu_ttesync+0xe0()
000002a100ce8cb1 sfmmu_hblk_sync+0x21c()
000002a100ce8d71 hat_sync+0x378()
000002a100ce8e71 hat_getstat+0x34()
000002a100ce8f21 prpdread32+0x3b0()
000002a100ce90b1 pr_read_pagedata_32+0xc4()
000002a100ce9161 read+0x29c()
000002a100ce92e1 syscall_trap32+0x1e8()
Analysis:
1. The panic message should be "recursive mutex_enter, ..."
2. The stack backtrace of the panicking thread should show a call to the
hrm_init() function followed by a call to the sfmmu_mlspl_enter()
function.
B) A 'Deadlock' panic
To identify this panic scenario, run the following two commands on the
crashdump and review the resultant output:
# echo "::status" | mdb -k unix.0 vmcore.0 | grep "panic message"
panic message: Deadlock: cycle in blocking chain
# echo "*panic_thread::findstack" | mdb -k unix.0 vmcore.0
stack pointer for thread 3003b164ce0: 2a10a2e2941
000002a10a2e29f1 priv_rtt+0x1c()
000002a10a2e2b41 0()
000002a10a2e2bf1 sfmmu_mlspl_enter+0x200()
000002a10a2e2ca1 hat_pageunload+0x2c()
000002a10a2e2d61 page_destroy+0x54()
000002a10a2e2e11 segkmem_free+0xb0()
000002a10a2e2ec1 hat_freestat+0x164()
000002a10a2e2f71 prclose+0x18c()
000002a10a2e3021 fop_close+0x20()
000002a10a2e30d1 closef+0x4c()
000002a10a2e3181 closeandsetf+0x37c()
000002a10a2e3231 close+8()
000002a10a2e32e1 syscall_trap+0xac()
Analysis:
1. The panic message should be "Deadlock: cycle in blocking chain"
2. The stack backtrace of the panicking thread should show a call to the
hat_freestat() function followed by a call to the sfmmu_mlspl_enter()
function (or sfmmu_mlist_enter()).
Note: By default, crash dumps are written to /var/crash/<uname -n>. See
dumpadm(1M) for more information.
Solution Summary Top
4. Relief/Workaround
There is no workaround for this issue. Please see the Resolution section
below.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform:
* Solaris 8 with patch 117350-50 or later
* Solaris 9 with patch 122300-13 or later
* Solaris 10 with patch 127111-01 or later
x86 Platform:
* Solaris 8 with patch 117351-50 or later
* Solaris 9 with patch 122301-13 or later
* Solaris 10 with patch 127112-01 or later
This Sun Alert notification is being provided to you on an "AS IS" basis.
This Sun Alert notification may contain information provided by third
parties. The issues described in this Sun Alert notification may or may not
impact your system(s). Sun makes no representations, warranties, or
guarantees as to the information contained herein. ANY AND ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE
HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL
IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR
CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE
INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun
proprietary and confidential information. It is being provided to you
pursuant to the provisions of your agreement to purchase services from Sun,
or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun
Alert notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRxiwbRYd1iQZmhQQAQGdbggAoAACzQFJi65AxEjxegNlRdBvs2yATy1I
nmp9bRMMuOEYYgq8rTPa1TkP+JJsGUi6LG5AvCgb4spkRkJ8KK0Z3lyhEcYS8y46
5KJfsPzJ5+0JyksaWu1okzLFB8uWG+w7GX438n22bTZtjbLSB5iuQTfkFLHWsH3E
Dh56Asz4bY7VbLNq5WyqCvdrVKm/Q6mK+P4yxmOeC5bWviG/FBm8stNdbz3uYev5
rYYVxTKJBB517qIjE4VCp01Ro+wcUPU/eczzrISjbY8x7XvEQ52R5G7PXDXbovXY
H57QHInyK5oA7YFNRE6wPI1RmDDZHeLtgh0ONhjMCaL0qdGiK1JFCQ==
=c3Yl
-----END PGP SIGNATURE-----