Note: This is an archival copy of Security Sun Alert 201059 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000782.1.
Article ID : 1000782.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-10-09
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the Human Interface Device (HID) Class Driver for Solaris



Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6414967

Date of Resolved Release
25-SEP-2007

Impact

A security vulnerability in the Human Interface Device (HID) class driver for Solaris 8, 9 and 10 may allow a local unprivileged user to panic the system, causing a Denial of Service (DoS).


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 109896-35
  • Solaris 9 without patch 115553-28
  • Solaris 10 without patch 125123-01

x86 Platform

  • Solaris 9 without patch 115554-24
  • Solaris 10 without patch 125124-01

Notes:

  1. Solaris 8 on the x86 platform is not affected by this issue.
  2. Systems are only impacted by this issue if the HID module is loaded. This happens as soon as you plugin a USB HID class device to the host. USB keyboard, mouse, etc fall into this category.

To determine if the HID module is loaded, the following command can be run:

    $ modinfo | grep hid
    84  138cc18   36d8  54   1  hid (USB HID Client Driver 1.36)
    85  138f938   32e8   -   1  hidparser (HID PARSER 1.13)

Symptoms

A system panic due to this issue will contain a stack trace similar to the following:

    freemsg+0x46()
    hid_qreply_merror+0x44()
    hid_wput+0x19f()
    putnext+0x31a()
    usbms_wput+0xc3()
    putnext+0x31a()
    consmslwserv+0x3d()
    runservice+0x62()
    queue_service+0x5b()
    stream_service+0xe8()
    taskq_d_thread+0xe8()
    thread_start+8()

Workaround

There is no workaround for this issue. Please see the Resolution section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 109896-35 or later
  • Solaris 9 with patch 115553-28 or later
  • Solaris 10 with patch 125123-01 or later

x86 Platform

  • Solaris 9 with patch 115554-24 or later
  • Solaris 10 with patch 125124-01 or later


Modification History
Date: 10-OCT-2007
  • Updated Contributing Factors section


References

125123-01
125124-01
115553-28
115554-24
109896-35




Attachments
This solution has no attachment