Note: This is an archival copy of Security Sun Alert 200891 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000679.1.
Article ID : 1000679.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-07-27
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Local Unprivileged User May be Able to Cause a Denial of Service (DoS) to Solaris 10 Hosts via the "/net" Mount Point



Release Phase

Solaris 10 Operating System

Bug Id

Date of Resolved Release


A security vulnerability in Solaris 10 may allow a local unprivileged user the ability to panic the system using the special "/net" mount point (or a similarly configured mount point which uses the "-hosts" special map), creating a Denial of Service (DoS) condition.

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 118833-11

x86 Platform

  • Solaris 10 without patch 118855-08

Note: Solaris 8 and Solaris 9 are not impacted by this issue.

This issue only affects systems which have the autofs(4) service enabled and a "-hosts" entry in the "/etc/auto_master" file.

To determine if a system has the autofs(4) service enabled, the svcs(1) command can be used:

    $ svcs svc:/system/filesystem/autofs:default
    STATE          STIME    FMRI
    online         Mar_20   svc:/system/filesystem/autofs:default

To determine if a "-hosts" entry is present in the "/etc/auto_master" file, the grep(1) utility can be used:

    $ grep -- -hosts /etc/auto_master
    /net        -hosts       -nosuid,nobrowse



If the described issue occurs, the system will panic with a stack trace similar to the following:

    bad stack overflow at TL 1
    fbread ()



To work around the described issue, comment out or remove the following entry from the "/etc/auto_master" file:

    /net        -hosts          -nosuid,nobrowse

Note: All mounts contained in the "/net" directory will need to be unmounted, and the automount(1M) command will need to be used for the above change to take effect.

If it's not possible to unmount any of the mounts in the "/net" directory due to the file system being busy, then the system will need to be rebooted after the "auto_master" file has been altered.


This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 118833-11 or later

x86 Platform

  • Solaris 10 with patch 118855-08 or later



This solution has no attachment