Note: This is an archival copy of Security Sun Alert 228525 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1017427.1.
Solaris 10 Operating System
6367349, 6358194, 6357796, 6362390
Date of Resolved Release
Security vulnerabilities in the Solaris event port API may allow a local unprivileged user the ability to run an application which uses the API in such a way as to cause the system to panic, leading to a Denial of Service (DoS) condition.
The Apache server is an example of an application that makes use of the event port API. On a system running Apache2 (Apache/2.2.0) it may be possible for a remote unprivileged user to cause that system to panic, resulting in a Denial of Service (DoS) condition.
This issue can occur in the following releases:
Note 1: Solaris 8 and Solaris 9 are not affected by this issue.
Note 2: The Apache 2 web server that is distributed with Solaris 10 in packages SUNWapch2d and SUNWapch2u is not affected by this issue.
To determine if apache is using event port API, the following command can be used:
# pfiles <httpd pid> | grep S_IFPORT 14: S_IFPORT mode:0000 dev:301,0 uid:1 gid:12 size:0
Note: <httpd pid> refers to the process id of the apache process.
The above example indicates that the apache process has create an event port, hence this version of apache is vulnerable.
The above command will produce no output on an unaffected system.
If the described issue occurs, the system will panic with a panic stack trace similar to one of the following:
<trap>genunix:list_remove+0xb() genunix:port_remove_done_event+0x4b() portfs:port_associate_fd+0x2b8() portfs:portfs+0x303() portfs:portfs32+0x24() unix:_syscall32_save+0xad() die+78() genunix:port_remove_event_doneq+8() genunix:port_remove_fd_object+7c() genunix:port_close_pfd+20() genunix:___const_seg_900000101+8874() genunix:closeandsetf+374() genunix:close+8() mutex_enter+4() port_close_fd+0x6c() closeandsetf+0x374() close+8() syscall_trap+0xac() die+0x78() trap+0x8f0() ktl0+0x48() port_close_pfd+0x2c() port_close_fd+0x6c() closeandsetf+0x374() close+8() syscall_trap+0xac() vpanic() turnstile_block+0x61c() mutex_vector_enter+0x424() port_close_pfd+0x2c() port_close_fd+0x6c() closeandsetf+0x374() close+8() syscall_trap+0xac()
There is no workaround. Please see the "Resolution" section below.
This issue is addressed in the following releases:
This solution has no attachment