Note: This is an archival copy of Security Sun Alert 242267 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019613.1.
Article ID : 1019613.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2009-06-02
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the ACL (acl(2)) Implementation for UFS File Systems May Allow a Local User to Panic the System

Category
Security

Release Phase
Resolved

Bug Id
6748275

Product
Solaris 8 Operating System
Solaris 9 Operating System
Solaris 10 Operating System
OpenSolaris

Date of Preliminary Release
18-Sep-2008

Date of Workaround Release
15-Jan-2009

Date of Resolved Release
21-Jan-2009

Security Vulnerability in the ACL (acl(2)) Implementation for UFS File Systems May Allow a Local User to Panic the System

1. Impact

A security vulnerability in the Solaris Access Control List (ACL) (see acl(2)) implementation for UFS file systems may allow a local unprivileged user to panic a system which has a UFS filesystem. This is a type of Denial of Service (DoS).

Sun would like to acknowledge with thanks, Nils Goroll, for bringing this issue to our attention and aiding us in the development of a fix through the OpenSolaris project.

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
  • Solaris 8 without patch 117350-60
  • Solaris 9 without patch 122300-34
  • Solaris 10 without patch 139483-01
  • OpenSolaris based upon builds snv_01 through snv_99
x86 Platform
  • Solaris 8 without patch 117351-60
  • Solaris 9 without patch 122301-34
  • Solaris 10 without patch 139484-01
  • OpenSolaris based upon builds snv_01 through snv_99
Notes:

1. Solaris 8 entered EOSL Phase 2 on 1 April 2009. Entitlement to patches developed on or after 1 April 2009 requires the purchase of the Solaris 8 Vintage Patch Service. See note in section 5 for more details.

2. This issue only affects systems which have UFS file systems mounted which are writable (read-write). To print the list of UFS file systems mounted read-write on the system, the following command can be run:
$ mount -p | grep ufs | grep rw

3. Symptoms

If this issue is experienced, the system will panic with a message similar to the following:
panic[cpu0]/thread=300043e8060: BAD TRAP: type=31 rp=2a10165f130 addr=70 mmu_fsr=0 
occurred in module "ufs" due to a NULL pointer dereference

unix:die+78 (...)
unix:trap+9e0 (...)
unix:ktl0+48 (...)
ufs:ufs_acl_access+4 (...)
ufs:ufs_dirlook+48 (...)
ufs:ufs_lookup+2ac (...)
genunix:fop_lookup+28 (...)
genunix:lookuppnvp+344 (...)
genunix:lookuppnat+120 (...)
genunix:lookupnameat+5c (...)
genunix:cstatat_getvp+198 (...)
genunix:cstatat64_32+40 (...)
Note that either ufs_acl_access() or ufs_iaccess() are the top most UFS functions in the call stack.

4. Workaround

To work around the described issue, remount the filesystem with the 'nosec' option, as in the following example:
# mount -o remount,nosec /test
Note this command option is available on all releases impacted by this issue, however, the option is not documented on Solaris 8 or 9, and is only documented for Solaris 10 with the man pages patch 119246-35 (for SPARC) and 119247-35 (for x86).

5. Resolution

This issue is addressed in the following releases:

SPARC Platform
  • Solaris 8 with patch 117350-60 or later
  • Solaris 9 with patch 122300-34 or later
  • Solaris 10 with patch 139483-01 or later
  • OpenSolaris based upon builds snv_100 or later
x86 Platform
  • Solaris 8 with patch 117351-60 or later
  • Solaris 9 with patch 122301-34 or later
  • Solaris 10 with patch 139484-01 or later
  • OpenSolaris based upon builds snv_100 or later

Note: The READMEs of Solaris 8 patches developed on or after 1 April 2009 are available to all customers. However, Solaris 8 entered EOSL Phase 2 on April 1, 2009 and thus entitlement for these patches, including those that fix security vulnerabilities, requires the purchase of the Solaris 8 Vintage Patch Service. More information about the Solaris 8 Vintage Patch Service is available at:


For more information on Security Sun Alerts, see 1009886.1.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

Modification History
08-Oct-2008: Update Resolution section for OpenSolaris
21-Oct-2008: Add acknowledgement in Impact section
15-Jan-2009: Updated Resolution patches. Updated Workaround section for T-Patches
21-Jan-2009: Updated Contributing Factors and Resolution sections Solaris 8, now Resolved
03-Jun-2009: Updated Solaris 8 patch information and Workaround section


References
 139483-01

 139484-01

 122300-34

 122301-34

 117350-60

 117351-60



                         


Attachments
This solution has no attachment