Note: This is an archival copy of Security Sun Alert 201263 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000946.1.
Article ID : 1000946.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-06-26
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability in the TCP Loopback/Fusion Code May Lead to a System Hang Resulting in a Denial of Service (DoS)

Category
Security

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6449337

Date of Resolved Release
27-JUN-2007

Impact

An unprivileged local user may be able to exhaust all available kernel memory and cause the system to hang due to a security vulnerability in the TCP Loopback/Fusion implementation in Solaris 10. The ability to hang a system is a type of Denial of Service (DoS).


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 with patch 118833-17 through 118833-36 and without patch 125100-10

x86 Platform

  • Solaris 10 with patch 118855-15 through 118855-36 and without patch 125101-10

Note 1: Solaris 8 and Solaris 9 are not impacted by this issue.

Note 2: This only affects systems which have TCP Fusion enabled. This can be determined using a command such as the following, which makes use of mdb to query the value of the do_tcp_fusion variable:

    # mdb -k
    Loading modules: [ unix krtld genunix specfs dtrace ufs sd pcipsy ip
    sctp usba fctl nca crypto zfs random ipc nfs audiosup logindmux ptm
    cpc fcip sppp lofs ]
    > do_tcp_fusion/X
    do_tcp_fusion:
    do_tcp_fusion:  0

If the value returned is "0" the host is not impacted.


Symptoms

If the described issue occurs, the system will slow down considerably, eventually becoming unresponsive.

When the system is slow, but not unresponsive, the following commands can be used to ascertain the occurrence of the issue:

    # echo "::kmastat ! head -3" | mdb -k ; \
    echo "::kmastat !egrep kmem_alloc_8192" | mdb -k
    cache                        buf    buf    buf    memory     alloc alloc
    name                        size in use  total    in use   succeed fail
    ------------------------- ------ ------ ------ --------- --------- -----
    kmem_alloc_8192             8192   8874   9605  78684160    192013     0

If the column entry for "buf in use" multiplied by 8192 is more than 50% of physical memory on the system, then perhaps this issue has been hit.

If the system is unresponsive then a crash dump can be taken and reviewed using mdb(1) and the above debugger commands. Details of how to force a crash dump on both SPARC and x86 systems are in the Solaris 10 System Administration Guide:


Workaround

To work around the described issue until patches can be installed, disable TCP Fusion by adding the following line to the "/etc/system" file and rebooting the system:

    set ip:do_tcp_fusion = 0x0

Undo the above change to the "/etc/system" file and reboot to re-enable TCP Fusion.

Note: The workaround option above may affect performance.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 125100-10 or later

x86 Platform

  • Solaris 10 with patch 125101-10 or later


References

125100-10
125101-10




Attachments
This solution has no attachment