Note: This is an archival copy of Security Sun Alert 201117 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000837.1.
Article ID : 1000837.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-04-17
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability Involving the "pagedata" Subsystem of the Process File System (/proc(4)) May Cause the System to Hang or Panic

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6324745, 6330765

Date of Resolved Release
03-MAR-2006

Impact

A local unprivileged user may be able to cause significant performance degradation, hang the system, or panic the system, resulting in a Denial of Service (DoS) condition. This is due to a security vulnerability involving the pagedata subsystem of the process file system "/proc" (see proc(4)).


Contributing Factors

These issues can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 117350-33
  • Solaris 9 without patch 118558-22
  • Solaris 10 without patch 118822-29

x86 Platform

  • Solaris 8 without patch 117351-33
  • Solaris 9 without patch 118559-22
  • Solaris 10 without patch 118844-29

 


Symptoms

The symptoms of degraded performance will be a lack of virtual memory due to the "kmem_oversize" arena allocating or having allocated an unusually large proportion of system memory without freeing it. This can be confirmed with the kstat(1M) utility as follows:

    $ kstat vmem::kmem_oversize

The output would show substantially more "allocs" than "frees" and a large value for "mem_inuse."

For customers using a kernel debugger such as mdb(1) or kmdb(1) either on a live system or system crash dump, the kmem_oversize arena can be investigated to review the number of "allocs" and "frees". For example, using mdb(1):

    > ::vmem ! grep kmem_oversize
 0000030000034000     kmem_oversize    16098796   16384000 1097 0
 > 0000030000034000::print vmem_t vm_kstat.vk_free.value.l
 vm_kstat.vk_free.value.l = 0x3d5
 > 0000030000034000::print vmem_t vm_kstat.vk_alloc.value.l
 vm_kstat.vk_alloc.value.l = 0x43e

The symptoms of a system panic will be a "NULL pointer dereference" message similar to the following:

    BAD TRAP: type=31 rp=2a1006b7480 addr=180 mmu_fsr=0 occurred in module
    "genunix" due to a NULL pointer dereference

Workaround

There is no workaround to these issues. Please see the Resolution section below.


Resolution

These issues are addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 117350-33 or later
  • Solaris 9 with patch 118558-22 or later
  • Solaris 10 with patch 118822-29 or later

x86 Platform

  • Solaris 8 with patch 117351-33 or later
  • Solaris 9 with patch 118559-22 or later
  • Solaris 10 with patch 118844-29 or later


Modification History
Date: 08-MAR-2006
  • Updated Contributing Factors and Resolution sections

Date: 28-MAR-2006

28-Mar-2006:

  • Updated Contributing Factors and Resolution sections


References

117350-33
117351-33
118558-22
118559-22
118822-29
118844-29




Attachments
This solution has no attachment