Note: This is an archival copy of Security Sun Alert 242267 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019613.1.
Solaris 8 Operating System
Solaris 9 Operating System
Solaris 10 Operating System
Date of Preliminary Release
Date of Workaround Release
Date of Resolved Release
Security Vulnerability in the ACL (acl(2)) Implementation for UFS File Systems May Allow a Local User to Panic the System
A security vulnerability in the Solaris Access Control List (ACL) (see acl(2)) implementation for UFS file systems may allow a local unprivileged user to panic a system which has a UFS filesystem. This is a type of Denial of Service (DoS).
Sun would like to acknowledge with thanks, Nils Goroll, for bringing this issue to our attention and aiding us in the development of a fix through the OpenSolaris project.
2. Contributing Factors
This issue can occur in the following releases:
1. Solaris 8 entered EOSL Phase 2 on 1 April 2009. Entitlement to patches developed on or after 1 April 2009 requires the purchase of the Solaris 8 Vintage Patch Service. See note in section 5 for more details.
2. This issue only affects systems which have UFS file systems mounted which are writable (read-write). To print the list of UFS file systems mounted read-write on the system, the following command can be run:
$ mount -p | grep ufs | grep rw
If this issue is experienced, the system will panic with a message similar to the following:
Note that either ufs_acl_access() or ufs_iaccess() are the top most UFS functions in the call stack.panic[cpu0]/thread=300043e8060: BAD TRAP: type=31 rp=2a10165f130 addr=70 mmu_fsr=0
To work around the described issue, remount the filesystem with the 'nosec' option, as in the following example:
Note this command option is available on all releases impacted by this issue, however, the option is not documented on Solaris 8 or 9, and is only documented for Solaris 10 with the man pages patch 119246-35 (for SPARC) and 119247-35 (for x86).# mount -o remount,nosec /test
This issue is addressed in the following releases:
For more information on Security Sun Alerts, see 1009886.1.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
08-Oct-2008: Update Resolution section for OpenSolaris
21-Oct-2008: Add acknowledgement in Impact section
15-Jan-2009: Updated Resolution patches. Updated Workaround section for T-Patches
21-Jan-2009: Updated Contributing Factors and Resolution sections Solaris 8, now Resolved
03-Jun-2009: Updated Solaris 8 patch information and Workaround section
This solution has no attachment