Category
Security
Release Phase
Resolved
ProductSolaris 10 Operating System
Bug Id
6367349, 6358194, 6357796, 6362390
Date of Resolved Release19-JUL-2006
Impact
Security vulnerabilities in the Solaris event port API may allow a local unprivileged user the ability to run an application which uses the API in such a way as to cause the system to panic, leading to a Denial of Service (DoS) condition.
The Apache server is an example of an application that makes use of the event port API. On a system running Apache2 (Apache/2.2.0) it may be possible for a remote unprivileged user to cause that system to panic, resulting in a Denial of Service (DoS) condition.
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Solaris 10 without patch 118833-12
x86 Platform
- Solaris 10 without patch 118855-10
Note 1: Solaris 8 and Solaris 9 are not affected by this issue.
Note 2: The Apache 2 web server that is distributed with Solaris 10 in packages SUNWapch2d and SUNWapch2u is not affected by this issue.
To determine if apache is using event port API, the following command can be used:
# pfiles <httpd pid> | grep S_IFPORT
14: S_IFPORT mode:0000 dev:301,0 uid:1 gid:12 size:0
Note: <httpd pid> refers to the process id of the apache process.
The above example indicates that the apache process has create an event port, hence this version of apache is vulnerable.
The above command will produce no output on an unaffected system.
Symptoms
If the described issue occurs, the system will panic with a panic stack trace similar to one of the following:
<trap>genunix:list_remove+0xb()
genunix:port_remove_done_event+0x4b()
portfs:port_associate_fd+0x2b8()
portfs:portfs+0x303()
portfs:portfs32+0x24()
unix:_syscall32_save+0xad()
die+78()
genunix:port_remove_event_doneq+8()
genunix:port_remove_fd_object+7c()
genunix:port_close_pfd+20()
genunix:___const_seg_900000101+8874()
genunix:closeandsetf+374()
genunix:close+8()
mutex_enter+4()
port_close_fd+0x6c()
closeandsetf+0x374()
close+8()
syscall_trap+0xac()
die+0x78()
trap+0x8f0()
ktl0+0x48()
port_close_pfd+0x2c()
port_close_fd+0x6c()
closeandsetf+0x374()
close+8()
syscall_trap+0xac()
vpanic()
turnstile_block+0x61c()
mutex_vector_enter+0x424()
port_close_pfd+0x2c()
port_close_fd+0x6c()
closeandsetf+0x374()
close+8()
syscall_trap+0xac()
Workaround
There is no workaround. Please see the "Resolution" section below.
Resolution
This issue is addressed in the following releases:
SPARC Platform
- Solaris 10 with patch 118833-12 or later
x86 Platform
- Solaris 10 with patch 118855-10 or later
References
118833-12
118855-10
AttachmentsThis solution has no attachment