Note: This is an archival copy of Security Sun Alert 201117 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000837.1.
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System
Date of Resolved Release
A local unprivileged user may be able to cause significant performance degradation, hang the system, or panic the system, resulting in a Denial of Service (DoS) condition. This is due to a security vulnerability involving the pagedata subsystem of the process file system "/proc" (see proc(4)).
These issues can occur in the following releases:
The symptoms of degraded performance will be a lack of virtual memory due to the "kmem_oversize" arena allocating or having allocated an unusually large proportion of system memory without freeing it. This can be confirmed with the kstat(1M) utility as follows:
$ kstat vmem::kmem_oversize
The output would show substantially more "allocs" than "frees" and a large value for "mem_inuse."
For customers using a kernel debugger such as mdb(1) or kmdb(1) either on a live system or system crash dump, the kmem_oversize arena can be investigated to review the number of "allocs" and "frees". For example, using mdb(1):
> ::vmem ! grep kmem_oversize 0000030000034000 kmem_oversize 16098796 16384000 1097 0 > 0000030000034000::print vmem_t vm_kstat.vk_free.value.l vm_kstat.vk_free.value.l = 0x3d5 > 0000030000034000::print vmem_t vm_kstat.vk_alloc.value.l vm_kstat.vk_alloc.value.l = 0x43e
The symptoms of a system panic will be a "NULL pointer dereference" message similar to the following:
BAD TRAP: type=31 rp=2a1006b7480 addr=180 mmu_fsr=0 occurred in module "genunix" due to a NULL pointer dereference
There is no workaround to these issues. Please see the Resolution section below.
These issues are addressed in the following releases:
This solution has no attachment