Note: This is an archival copy of Security Sun Alert 241066 as previously published on
Latest version of this security advisory is available from as Sun Alert 1019556.1.
Article ID : 1019556.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2008-08-26
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability in the Solaris NFS Kernel Module May Lead to a System Panic, Resulting in a Denial of Service (DoS)


Release Phase

Bug Id

Solaris 10 Operating System

Date of Resolved Release

A Security Vulnerability in the Solaris NFS Kernel Module:

1. Impact

A security vulnerability in the Solaris NFS kernel module on Solaris 10 systems with kernel patches 120011-14 (SPARC) and 120012-14 (x86), may allow a local unprivileged user to cause an NFS server to panic, resulting in a Denial of Service (DoS).

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
  • Solaris 10 with patch 120011-14 and without patch 138070-02
  • OpenSolaris based upon builds snv_59 through snv_87
x86 Platform
  • Solaris 10 with patch 120012-14 and without patch 138071-02
  • OpenSolaris based upon builds  snv_59 through snv_87
Note 1: Solaris 8 and Solaris 9 are not impacted by this issue.

Note 2: OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. To determine the base build of  OpenSolaris, the following command can be used:
    $ uname -v
To determine if a system has a Package Repository Update (PRU) installed that addresses this issue, execute the following command:
    $ pkg contents -o name,value -t set | grep 6614416
com.sun.service.incorporated_changes 6614416
3. Symptoms

If the described issue occurs, the NFS server system may panic with a stack trace similar to the following:
    > $C
db66a878 cdev_ioctl+0x16(1a000a0, 422, 0, 80100000, dc78e338, db66a960)
db66a964 spec_fsync+0xd5(dc949d80, 10000, dc78e338)
db66a988 fop_fsync+0x1b(dc949d80, 10000, dc78e338)
db66aac8 rfs3_mknod+0x26d(db66aaf0, db66abc8, dc93f380, db66ad9c, dc78e338)
db66ad24 common_dispatch+0x3f9()
db66ad44 rfs_dispatch+0x1c(db66ad9c, cd690740)
db66add0 svc_getreq+0x158(cd690740, cd7d2340)
db66adf8 svc_run+0x125(db8312c0)
db66ae0c svc_do_run+0x6b(1)
db66af84 nfssys+0x4cf()db66afac sys_sysenter+0x101()
4. Workaround

To work around the described issue, mount the NFS file system on the NFS client side with mount_nfs(1M) "-o nodevices" option.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform
  • Solaris 10 with patch 138070-02 or later
  • OpenSolaris based upon builds snv_88 or later
x86 Platform
  • Solaris 10 with patch 138071-02 or later
  • OpenSolaris based upon builds snv_88 or later
For more information on Security Sun Alerts, see 1009886.1.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

Modification History
27-Aug-2008: Updated the Workaround section



This solution has no attachment