Note: This is an archival copy of Security Sun Alert 200597 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000459.1.
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System
Date of Resolved Release
A security vulnerability in the NFS client module related to the handling of acl(2) packets may allow a local or remote unprivileged user to cause an NFS server to panic, leading to a Denial of Service (DoS) condition.
Sun acknowledges with thanks, Andrzej Dereszowski (firstname.lastname@example.org), for bringing this issue to our attention.
This issue can occur in the following releases:
Note: This issue only affects systems which have been configured as NFS servers.
To determine if a Solaris 8 or 9 system has been configured as an NFS server, the following command can be run::
$ ps -ef | grep nfsd root 291 1 0 May 08 ? 0:00 /usr/lib/nfs/nfsd
To determine if a Solaris 10 system has been configured as an NFS server, the following command can be run::
$ svcs svc:/network/nfs/server:default STATE NSTATE STIME CTID FMRI online - May_11 94 svc:/network/nfs/server:default
If the state in the svcs(1) output reports "online" then the system is configured as an NFS server.
A stack trace similar to the following is indicative of this issue:
d456a970 genunix:vmem_hash_delete+d0 (dac04690, d5430600,) d456a9ac genunix:vmem_xfree+2b (dac04690, d5430600,) d456a9c0 genunix:vmem_free+1e (dac04690, d5430600,) d456a9f4 genunix:kmem_free+36 (d5430600, c003c) d456aa34 genunix:xdr_array+f6 (d49cd484, d456ab20,) d456aa7c nfs:xdr_secattr+69 (d49cd484, d456ab18) d456aa98 nfs:xdr_SETACL3args+4f (d49cd484, d456aad0) d456aab0 rpcmod:svc_clts_kfreeargs+29 (d49cd400, fa19438c,) d456ad10 nfssrv:common_dispatch+6ce (d456ad8c, d49cd400,) d456ad34 nfssrv:acl_dispatch+1f (d456ad8c, d49cd400) d456adc4 rpcmod:svc_getreq+158 (d49cd400, dad9e2c0) d456ae0c rpcmod:svc_run+146 (d57a9960) d456ae2c rpcmod:svc_do_run+6e (1) d456af84 nfs:nfssys+3fb (e, d2940fc8, d08e, )
To avoid this issue until patches can be applied, the NFS server can be disabled by using the following command:
For Solaris 8 and 9:
# /etc/init.d/nfs.server stop
For Solaris 10:
# svcadm disable svc:/network/nfs/server:default
This issue is addressed in the following releases:
This solution has no attachment