Note: This is an archival copy of Security Sun Alert 200105 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000089.1.
Article ID : 1000089.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-01-29
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

On Solaris 10 a System Panic Due to a Race Condition May OccurWhen SNMP Queries are Processed (such as when netstat(1M) or ifconfig(1M) are run)



Category
Security

Category
Availability

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6450585

Date of Workaround Release
11-AUG-2006

Date of Resolved Release
30-JAN-2007

Impact

A local or remote unprivileged user may be able to trigger a race condition in the kernel and panic a system with certain SNMP requests. A local unprivileged user may be able to trigger the same race condition and panic a local system using certain invocations of ifconfig(1M) or netstat(1M).


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 with patch 118833-04 through 118833-32 and without patch 118833-33

x86 Platform

  • Solaris 10 with patch 118855-03 through 118855-32 and without patch 118855-33

Note: Solaris 8 and 9 are not impacted by this issue.


Symptoms

A panic string and stack backtrace similar to the following:

  udp_snmp_get+0x100(3012541a658, 0, ...
snmpcom_req+0x33c(3012541a658, 300c12929c0, ...
ip_snmpmod_wput+0xe4(3012541a658, 300c12929c0, ...
putnext+0x218(3012541a750, 3012541a658, ...
snmpcom_req+0x368(3012ef12668, 300c12929c0, ...
icmp_wput_other+0x10c(3012ef12668, 300c12929c0, ...
qdrain_syncq+0x74(3012ef126d0, 3012ef12668, ...
drain_syncq+0x2e8(300fc1e01a0, 30124f34520, ...
outer_exit+0x8c(300bd9f7ef0, 300fc1e01a0, ...
qattach+0x144(3016d0a8d50, 2a1063bf758, ...
strioctl+0x1aa4(300fc1f5ca8, 0, ...
spec_ioctl+0x8c(2c00000315, 5302, ...
fop_ioctl+0x20(3032dccfd80, 5302, ...
ioctl+0x184(3, 3016fd2c290, 2073c, ...
syscall_trap32+0xcc(3, 5302, ...

 


Workaround

There is no workaround. Please see Resolution section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 118833-33 or later

x86 Platform

  • Solaris 10 with patch 118855-33 or later


Modification History
Date: 14-NOV-2006
  • Updated Relief/Workaround section

 


Date: 11-JAN-2007
  • Modified Synopsis, Impact and Relief/Workaround sections

 


Date: 30-JAN-2007
  • State: Resolved
  • Updated Contributing Factors and Resolution sections

 



References

118833-33
118855-33




Attachments
This solution has no attachment