Note: This is an archival copy of Security Sun Alert 201478 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001105.1.
Article ID : 1001105.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-09-28
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Use of "namefs" Mounted pipe(2) and Certain STREAMS Routines May Panic a Solaris System

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4711164

Date of Resolved Release
14-OCT-2003

Impact

A kernel race condition may cause a Solaris system working as a print server to panic during high loads. This race condition may also be triggered by an unprivileged local user executing exploit code which utilizes pipe(2) and certain STREAMS routines.

Note: This condition does not allow a local user to gain root or uid(0) access to the system.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 2.6 without patch 114941-01
  • Solaris 7 without patch 114944-01
  • Solaris 8 without patch 114984-01
  • Solaris 9 without patch 114971-01

x86 Platform

  • Solaris 2.6 without patch 114942-01
  • Solaris 7 without patch 114945-01
  • Solaris 8 without patch 114985-01
  • Solaris 9 without patch 114972-01

This issue is most likely to occur on, but is not limited to, systems having more than one CPU. Some of the print service programs can also trigger this issue if print services are used extensively on the system.


Symptoms

To verify if the described issue has been experienced, check the stack trace in the crash dump which is typically located in the "/var/crash/<hostname>" directory. There is a high probability that the system has encountered this issue if the stack trace is similar to the following: 

    #ls
unix.0       vmcore.0
#/usr/bin/adb -k unix.0 vmcore.0
physmem 7a7c1
$c
fifo_vfastoff+4
stubs_common_code+0x70
msgio32+0x8c
putmsg32+0x9c
syscall_trap32+0xa8
$q
#

Workaround

There is no workaround. Please see the "Resolution" section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 2.6 with patch 114941-01 or later
  • Solaris 7 with patch 114944-01 or later
  • Solaris 8 with patch 114984-01 or later
  • Solaris 9 with patch 114971-01 or later

x86 Platform

  • Solaris 2.6 with patch 114942-01 or later
  • Solaris 7 with patch 114945-01 or later
  • Solaris 8 with patch 114985-01 or later
  • Solaris 9 with patch 114972-01 or later


Modification History

References
 114945-01

 114944-01

 114984-01

 114941-01

 114942-01

 114985-01

 114972-01

 114971-01



                                                                                                    


Attachments
This solution has no attachment