Note: This is an archival copy of Security Sun Alert 228525 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1017427.1.
Article ID : 1017427.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-08-02
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerabilities in The Solaris Event Port API May Result in a Denial of Service (DoS) Condition



Category
Security

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6367349, 6358194, 6357796, 6362390

Date of Resolved Release
19-JUL-2006

Impact

Security vulnerabilities in the Solaris event port API may allow a local unprivileged user the ability to run an application which uses the API in such a way as to cause the system to panic, leading to a Denial of Service (DoS) condition.

The Apache server is an example of an application that makes use of the event port API. On a system running Apache2 (Apache/2.2.0) it may be possible for a remote unprivileged user to cause that system to panic, resulting in a Denial of Service (DoS) condition.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 118833-12

x86 Platform

  • Solaris 10 without patch 118855-10

Note 1: Solaris 8 and Solaris 9 are not affected by this issue.

Note 2: The Apache 2 web server that is distributed with Solaris 10 in packages SUNWapch2d and SUNWapch2u is not affected by this issue.

To determine if apache is using event port API, the following command can be used:

    # pfiles <httpd pid> | grep S_IFPORT
    14: S_IFPORT mode:0000 dev:301,0 uid:1 gid:12 size:0

Note: <httpd pid> refers to the process id of the apache process.

The above example indicates that the apache process has create an event port, hence this version of apache is vulnerable.

The above command will produce no output on an unaffected system.


Symptoms

If the described issue occurs, the system will panic with a panic stack trace similar to one of the following:

    <trap>genunix:list_remove+0xb()
    genunix:port_remove_done_event+0x4b()
    portfs:port_associate_fd+0x2b8()
    portfs:portfs+0x303()
    portfs:portfs32+0x24()
    unix:_syscall32_save+0xad()
    die+78()
    genunix:port_remove_event_doneq+8()
    genunix:port_remove_fd_object+7c()
    genunix:port_close_pfd+20()
    genunix:___const_seg_900000101+8874()
    genunix:closeandsetf+374()
    genunix:close+8()
    mutex_enter+4()
    port_close_fd+0x6c()
    closeandsetf+0x374()
    close+8()
    syscall_trap+0xac()
    die+0x78()
    trap+0x8f0()
    ktl0+0x48()
    port_close_pfd+0x2c()
    port_close_fd+0x6c()
    closeandsetf+0x374()
    close+8()
    syscall_trap+0xac()
    vpanic()
    turnstile_block+0x61c()
    mutex_vector_enter+0x424()
    port_close_pfd+0x2c()
    port_close_fd+0x6c()
    closeandsetf+0x374()
    close+8()
    syscall_trap+0xac()

 


Workaround

There is no workaround. Please see the "Resolution" section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 118833-12 or later

x86 Platform

  • Solaris 10 with patch 118855-10 or later


References

118833-12
118855-10




Attachments
This solution has no attachment