[Sun] Schwachstelle in der Solaris Funktion aio_suspend() – 247986

[Sun] Schwachstelle in der Solaris Funktion aio_suspend() - 247986

Von

—–BEGIN PGP SIGNED MESSAGE—–

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Sun Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

Sun Bug ID# 6748772 – Schwachstelle in der Solaris Funktion aio_suspend()

In der Funktion aio_suspend() bzw. dem Solaris Systemaufruf SYS_kaio()
kann auf 32 Bit Systemen ein Integer Overflow ausgeloest werden. Ein
lokaler Angreifer kann dadurch eine Kernel Panic und damit den Absturz
des Systems ausloesen.

Betroffen sind die folgenden Software Pakete und Plattformen:

Solaris 8
Solaris 9
Solaris 10
OpenSolaris

SPARC Plattform
* Solaris 8 ohne Patch 117350-59
* Solaris 9 ohne Patch 138577-01
* Solaris 10 ohne Patch 121394-02
* OpenSolaris basierend auf den Builds snv_01 bis snv_106

x86 Plattform
* Solaris 8 ohne Patch 117351-59
* Solaris 9 ohne Patch 138578-01
* Solaris 10 ohne Patch 121395-02
* OpenSolaris basierend auf den Builds snv_01 bis snv_106

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-247986-1

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Andreas Bunten, DFN-CERT
– —
Andreas Bunten (Incident Response Team), +49 40 808077-555

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

16. DFN-Workshop Sicherheit in vernetzten Systemen
https://www.dfn-cert.de/ws2009/

Solution Type Sun Alert
Solution 247986 : Security Vulnerability in aio_suspend(3RT) May
Lead to a System Panic, Resulting in a Denial of Service (DoS)
Related Categories

* Home>Content>Sun Alert Criteria Categories>Security
* Home>Content>Sun Alert Release Phase>Resolved

Bug ID
6748772

Product
Solaris 8 Operating System
Solaris 9 Operating System
Solaris 10 Operating System
OpenSolaris

Date of Workaround Release
09-Jan-2009

Date of Resolved Release
12-Jan-2009

SA Document Body
Security vulnerability in aio_suspend(3RT) may lead to a system panic, resultin
g in a Denial of Service (DoS):

1. Impact
An integer overflow security vulnerability in aio_suspend(3RT) may
allow a local unprivileged user to panic systems running in 32 bit
mode, thereby resulting in a Denial of Service (DoS) condition.
This issue is also mentioned in the following document:
* http://www.trapkit.de/advisories/TKADV2009-001.txt

Sun acknowledges with thanks, Tobias Klein (http://www.trapkit.de/) for
bringing this issue to our attention.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Solaris 8 without patch 117350-59
* Solaris 9 without patch 138577-01
* Solaris 10 without patch 121394-02
* OpenSolaris based upon builds snv_01 through snv_106

x86 Platform
* Solaris 8 without patch 117351-59
* Solaris 9 without patch 138578-01
* Solaris 10 without patch 121395-02
* OpenSolaris based upon builds snv_01 through snv_106

Note 1: The function aio_suspend() is described in the man page section
3C in OpenSolaris builds 2008.05 and later.
Note 2: OpenSolaris distributions may include additional bug fixes
above and beyond the build from which it was derived. To determine the
base build of OpenSolaris, the following command can be used:
$ uname -v
snv_86

Note 3: This issue only impacts systems that are running in 32 bit
mode. To determine if a system is running in 32 bit mode, execute the
following command:
$ isainfo -b
32

If “32” is returned, the system is running in 32-bit mode.
3. Symptoms
If the described issue occurs, the system may panic with a stack trace
similar to the following:
panic[cpu0]/thread=d4764de0:
vmem_xalloc(): size == 0
d418cd94 genunix:vmem_xalloc+2d8 (fec66738, 0, 1000, )
d418cdd0 genunix:vmem_alloc+135 (fec66738, 0, 1)
d418cdfc unix:segkmem_xalloc+2d (fec66738, 0, 0, 1, )
d418ce28 unix:segkmem_alloc_vn+b7 (fec66738, 0, 1, fec)
d418ce40 unix:segkmem_alloc+16 (fec66738, 0, 1)
d418ce8c genunix:vmem_xalloc+3b4 (da004690, fffffffc,)
d418cec8 genunix:vmem_alloc+135 (da004690, fffffffc,)
d418cee4 genunix:kmem_alloc+32 (fffffffc, 1)
d418cf30 kaio:aiosuspend+a6 (0, 3fffffff, 0, 0, )
d418cf64 kaio:kaio+162 (d418cf8c, d418cf78)
d418cf84 genunix:syscall_ap+4d (8, 0, 3fffffff, 0, )

4. Workaround
There is no workaround for this issue. Please see the Resolution
section below.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Solaris 8 with patch 117350-59 or later
* Solaris 9 with patch 138577-01 or later
* Solaris 10 with patch 121394-02 or later
* OpenSolaris based upon builds snv_107 and later

x86 Platform
* Solaris 8 with patch 117351-59 or later
* Solaris 9 with patch 138578-01 or later
* Solaris 10 with patch 121395-02 or later
* OpenSolaris based upon builds snv_107 and later

For more information on Security Sun Alerts, see Technical Instruction
ID 213557.
This Sun Alert notification is being provided to you on an “AS IS”
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
Modification History
12-Jan-2009: Updated Contributing Factors and Resolution sections. Resolved.

Attachments
This solution has no attachment

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBSWyIVUhXCWfrVVdXAQEIDQgAje/56j9Q4m+rpwo/DxKZ243CukguMrJe
aUvy4zBOavhcw2EGb/K8MjZQG1p10mngz9jMVwHUhkoHDMwnShb9qrlLSUcddJ75
50S9VetADNVv/8rdh3gzBAjndu8h9RKUE5jBW7slDsTxf0FMVr5GtvygHzfChie2
aXGKov2KRYn2tX8d7qnsBxAU2AvgVY9AkxcQT1kx6A987mNNeQBZLVwjlDkf7qJI
nUmCRFKNI/9bQduTlcRDp9/EYp+04OWaJ6ccADoJXlOt25zjHXGr1JAMliCqpexB
KwwJPv3Cs+uburXt19t3CU01iWisxb7JHhdum573c4pxBmid3E5few==
=crZ0
—–END PGP SIGNATURE—–

© COMPUTEC MEDIA GmbH
Nach oben