Note: This is an archival copy of Security Sun Alert 201352 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001025.1.
Article ID : 1001025.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-11-06
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the hsfs(7FS) File System

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6244328

Date of Resolved Release
24-FEB-2006

Impact

A security vulnerability in the Solaris file system driver for hsfs(7FS) file systems may allow local unprivileged users the ability to panic the system, creating a Denial of Service (DoS) condition, and/or execute arbitrary code with elevated privileges.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 109764-06
  • Solaris 9 without patch 116047-03
  • Solaris 10 without patch 119596-03

x86 Platform

  • Solaris 8 without patch 109765-06
  • Solaris 9 without patch 121995-01
  • Solaris 10 without patch 118813-03

Symptoms

If the described issue occurs, the system will panic with BAD TRAPs at various locations in the hsfs(7FS) module. There are many potential stack traces, but the most frequent panic has a stack trace similar to the following:

    <trap>genunix:segmap_getmapflt+0x30([ ... ])
    genunix:fbread+0x60([ ... ])
    hsfs:hs_dirlook+0x1e0()
    hsfs:hsfs_lookup([ ... ])
    genunix:lookuppnvp+0x2ac([ ... ])
    genunix:lookuppnat+0x124([ ... ])
    genunix:lookupnameat+0xb0([ ... ])
    genunix:lookupname([ ... ])
    genunix:chdir+0x14([ ... ])
    unix:syscall_trap32+0xa8()

Note: The above example is only one of several failure modes (the most pervasive)that may be seen.


Workaround

To work around the described issue, sites may choose to disable the use of CDROM media by removing the references to the hsfs(7FS) file system from "/etc/vold.conf" and commenting out the lines in "/etc/rmmount.conf" referring to the hsfs(7FS) file system.

To identify the references to the hsfs(7FS) file system, the following command can be run:

    $ grep hsfs /etc/vold.conf /etc/rmmount.conf
    /etc/vold.conf:unsafe ufs hsfs pcfs udfs
    /etc/rmmount.conf:ident hsfs ident_hsfs.so cdrom
    /etc/rmmount.conf:mount * hsfs udfs ufs -o nosuid

To disallow CDROM access for unprivileged users, do the following:

Replace the lines:

    /etc/vold.conf:unsafe ufs hsfs pcfs udfs
    /etc/rmmount.conf:ident hsfs ident_hsfs.so cdrom
    /etc/rmmount.conf:mount * hsfs udfs ufs -o nosuid

With:

    /etc/vold.conf:unsafe ufs pcfs udfs
    /etc/rmmount.conf:#ident hsfs ident_hsfs.so cdrom
    /etc/rmmount.conf:#mount * hsfs udfs ufs -o nosuid

Note: The example shown above is on an unmodified Solaris 9 system.


Resolution

This issue is addressed in the following releases:

SPARC platform

  • Solaris 8 with patch 109764-06 or later
  • Solaris 9 with patch 116047-03 or later
  • Solaris 10 with patch 119596-03 or later

x86 Platform

  • Solaris 8 with patch 109765-06 or later
  • Solaris 9 with patch 121995-01 or later
  • Solaris 10 with patch 118813-03 or later


References

109764-06
109765-06
116047-03
121995-01
119596-03
118813-03




Attachments
This solution has no attachment