Category
Security
Category
Availability
Release Phase
Resolved
Bug Id
6425723, 6679732, 6442712
ProductSolaris 10 Operating System
OpenSolaris
Date of Resolved Release16-Mar-2009
Several vulnerabilities in the UFS file system involving the ufs_getpage()
and ufs_putapage() routines (see below for full details)
1. Impact
Several vulnerabilities in the UFS file system involving the ufs_getpage()
and ufs_putapage() routines may lead to a system hang or a system panic.
The specific impact for each of the issues are as follows:
CR 6442712
A local unprivileged user may be able to cause all writes to a UFS
filesystem to hang on x86 systems running OpenSolaris builds snv_39
through snv_45 in 64-bit mode. This can then prevent applications and
commands from succeeding which is a type of Denial of Service (DoS). In
addition, if the root (/) filesystem is UFS then this may lead to a system
hang which is a type of Denial of Service (DoS).
CR 6425723
A local unprivileged user may be able to cause all writes to a UFS
filesystem to hang on SPARC sun4v systems running Solaris 10 with patch
138888-01 or later and without patch 139483-05 or OpenSolaris builds
snv_47 through snv_85. This can then prevent applications and
commands from succeeding which is a type of Denial of Service (DoS). In
addition, if the root (/) filesystem is UFS then this may lead to a system
hang which is a type of Denial of Service (DoS).
CR 6679732
A local unprivileged user may be able to panic x86 systems running
OpenSolaris builds snv_86 through snv_91 in 32-bit mode with at least one
UFS filesystem present.
2. Contributing Factors
These issues can occur in the following releases:
when running in 64 bit mode only (CR 6442712)
x86 Platform
when running on sun4v systems only (CR 6425723)
SPARC Platform
when running in 32 bit mode only (CR 6679732)
x86 Platform
Notes:
- OpenSolaris distributions may include additional
bug fixes above and beyond the build from which it was derived.
The base build can be derived as follows:-
$ uname -v
snv_86
- Solaris 8 and 9 are not impacted by this issue.
Solaris 10 on the x86 platform is not impacted by this issue.
- To determine if a system is sun4v, execute the following command.
$ uname -m
sun4v
- To determine if the currently running system is running in 32-bit or
64-bit mode, the isainfo(1) command can be used as in the following example:
$ isainfo -b
64
3. Symptoms
When this issue (6442712 & 6425723) occurs, there will be a hung kernel
thread with a stack similar to:
bmap_write+0x50()
ufs_getpage+0x438()
fop_getpage+0x44()
segmap_getmapflt+0x588()
wrip+0x63c()
ufs_write+0x580()
fop_write+0x20()
write+0x268()
syscall_trap32+0xcc()
The panic issue (6679732) will have a stack simliar to:
vcmn_err+16()
real_panic_v+10c()
ufs_fault_v+104()
ufs_fault+3a()
ufs_putapage+596()
ufs_putpages+2a9()
ufs_putpage+16c()
fop_putpage+49()
segmap_release+2da()
wrip+8d4()
ufs_write+4d2()
fop_write+4a()
And will generate a panic message of the form:
ufs_putapage: bn == UFS_HOLE
4. Workaround
To avoid the hang issue (6442712 & 6425723) until patches can be applied,
add the following entry to the file /etc/system and reboot the system:
set segmap_kpm = 0x0
5. Resolution
These issues are addressed in the following releases:
CR 6442712
x86 Platform
CR 6425723
SPARC Platform
CR 6679732
x86 Platform
For more information on Security Sun Alerts, see
References
139483-05
References
SUNPATCH:139483-05
AttachmentsThis solution has no attachment