Note: This is an archival copy of Security Sun Alert 201263 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000946.1.
Solaris 10 Operating System
Date of Resolved Release
An unprivileged local user may be able to exhaust all available kernel memory and cause the system to hang due to a security vulnerability in the TCP Loopback/Fusion implementation in Solaris 10. The ability to hang a system is a type of Denial of Service (DoS).
This issue can occur in the following releases:
Note 1: Solaris 8 and Solaris 9 are not impacted by this issue.
Note 2: This only affects systems which have TCP Fusion enabled. This can be determined using a command such as the following, which makes use of mdb to query the value of the do_tcp_fusion variable:
# mdb -k Loading modules: [ unix krtld genunix specfs dtrace ufs sd pcipsy ip sctp usba fctl nca crypto zfs random ipc nfs audiosup logindmux ptm cpc fcip sppp lofs ] > do_tcp_fusion/X do_tcp_fusion: do_tcp_fusion: 0
If the value returned is "0" the host is not impacted.
If the described issue occurs, the system will slow down considerably, eventually becoming unresponsive.
When the system is slow, but not unresponsive, the following commands can be used to ascertain the occurrence of the issue:
# echo "::kmastat ! head -3" | mdb -k ; \ echo "::kmastat !egrep kmem_alloc_8192" | mdb -k cache buf buf buf memory alloc alloc name size in use total in use succeed fail ------------------------- ------ ------ ------ --------- --------- ----- kmem_alloc_8192 8192 8874 9605 78684160 192013 0
If the column entry for "buf in use" multiplied by 8192 is more than 50% of physical memory on the system, then perhaps this issue has been hit.
If the system is unresponsive then a crash dump can be taken and reviewed using mdb(1) and the above debugger commands. Details of how to force a crash dump on both SPARC and x86 systems are in the Solaris 10 System Administration Guide:
To work around the described issue until patches can be installed, disable TCP Fusion by adding the following line to the "/etc/system" file and rebooting the system:
set ip:do_tcp_fusion = 0x0
Undo the above change to the "/etc/system" file and reboot to re-enable TCP Fusion.
Note: The workaround option above may affect performance.
This issue is addressed in the following releases:
This solution has no attachment