Note: This is an archival copy of Security Sun Alert 200891 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000679.1.
Article ID : 1000679.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-07-27
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Local Unprivileged User May be Able to Cause a Denial of Service (DoS) to Solaris 10 Hosts via the "/net" Mount Point

Category
Security

Category
Availability

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6336467

Date of Resolved Release
19-JUL-2006

Impact

A security vulnerability in Solaris 10 may allow a local unprivileged user the ability to panic the system using the special "/net" mount point (or a similarly configured mount point which uses the "-hosts" special map), creating a Denial of Service (DoS) condition.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 118833-11

x86 Platform

  • Solaris 10 without patch 118855-08

Note: Solaris 8 and Solaris 9 are not impacted by this issue.

This issue only affects systems which have the autofs(4) service enabled and a "-hosts" entry in the "/etc/auto_master" file.

To determine if a system has the autofs(4) service enabled, the svcs(1) command can be used:

    $ svcs svc:/system/filesystem/autofs:default
    STATE          STIME    FMRI
    online         Mar_20   svc:/system/filesystem/autofs:default

To determine if a "-hosts" entry is present in the "/etc/auto_master" file, the grep(1) utility can be used:

    $ grep -- -hosts /etc/auto_master
    /net        -hosts       -nosuid,nobrowse

 


Symptoms

If the described issue occurs, the system will panic with a stack trace similar to the following:

    bad stack overflow at TL 1
    setjmp()
    panicsys()
    vpanic()
    panic()
    ptl1_panic_handler()
    fbread ()
    blkatoff()
    ufs_dirlook
    ufs_lookup()
    fop_lookup()
    lo_lookup()

 


Workaround

To work around the described issue, comment out or remove the following entry from the "/etc/auto_master" file:

    /net        -hosts          -nosuid,nobrowse

Note: All mounts contained in the "/net" directory will need to be unmounted, and the automount(1M) command will need to be used for the above change to take effect.

If it's not possible to unmount any of the mounts in the "/net" directory due to the file system being busy, then the system will need to be rebooted after the "auto_master" file has been altered.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 118833-11 or later

x86 Platform

  • Solaris 10 with patch 118855-08 or later


References

118833-11
118855-08




Attachments
This solution has no attachment