Note: This is an archival copy of Security Sun Alert 200084 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000068.1.
Article ID : 1000068.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-04-30
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Solaris 9 Systems With Solaris Auditing (BSM) Enabled may Panic if Certain Audit Classes are Being Audited

Category
Security

Category
Availability

Release Phase
Resolved

Product
Solaris 9 Operating System

Bug Id
4714273

Date of Resolved Release
01-MAY-2007

Impact

Local unprivileged users may be able to panic Solaris systems which have Solaris Auditing (BSM) enabled. Being able to panic a Solaris Auditing enabled system is a type of Denial of Service (DoS).


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 9 without patch 122300-06

x86 Platform

  • Solaris 9 without patch 122301-06

Note 1: This issue does not affect Solaris 8 or Solaris 10.

Note 2: This issue only affects systems which have Solaris Auditing (see bsmconv(1M)) enabled.

To determine if a system has Solaris Auditing enabled the grep(1) command can be used to search the "/etc/system" file for a reference to the c2audit kernel module as in the following example:

    $ grep c2audit /etc/system
    set c2audit:audit_load = 1

Note 3: This issue only occurs on systems where Solaris Auditing has been configured to audit one of the following audit classes (see audit_class(4)):

    0x00000001:fr:file read
    0x00000002:fw:file write
    0x00000008:fm:file attribute modify
    0x00000010:fc:file create
    0x00000020:fd:file delete

To determine which audit classes have been configured on the system consult the audit_control(4) and audit_user(4) files.


Symptoms

Should the described issue occur, the system panics with a stack backtrace which ends with the following function calls:

    bcopy+0x170(300016c86c8, 0, ffffffc7, 38, 0, 300016c86c8)
    audit_savepath+0x10c(30000c29048, 0, 0, 30000225b68, 0, 300008c5d40)
    lookuppnvp+0x80c(30000225b68, 0, 1, 0, 0, 1494400)
    [...]

 


Workaround

Until patches can be applied Solaris Auditing can be configured to not audit the audit classes mentioned in Section 2 above. This can be done by modifying the audit_control(4) and audit_user(4) files and then either rebooting the system or modifying the audit preselection mask of running processes on the system using auditconfig(1M).


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 9 with patch 122300-06 or later

x86 Platform

  • Solaris 9 with patch 122301-06 or later


References

122300-06
122301-06




Attachments
This solution has no attachment