Note: This is an archival copy of Security Sun Alert 257331 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020388.1.
Article ID : 1020388.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-12-05
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in OpenSolaris SCTP Sockets May Allow Unprivileged Users to Panic the System



Category
Security

Release Phase
Resolved

Bug Id
6796351

Product
OpenSolaris

Date of Resolved Release
20-Apr-2009

Security Vulnerability in OpenSolaris SCTP Sockets May Allow Unprivileged Users to Panic the System

1. Impact

Due to a security vulnerability in SCTP sockets, OpenSolaris systems may
allow an unprivileged local user to panic the system and thereby cause a
denial of service (DoS).

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
  • OpenSolaris based upon builds snv_106 through snv_107

x86 Platform
  • OpenSolaris based upon builds snv_106 through snv_107

Notes: OpenSolaris distributions may include additional bug fixes above and
beyond the build from which it was derived. The base build can be derived as follows:

$ uname -v
snv_86

Solaris 8, 9 and 10 are not impacted by this issue.


3. Symptoms

If this issue is exploited to cause a denial of service, the kernel panics
and the lower part of the stack trace would be similar to the one below. The
key identifying features of the panic is the presence of "sosctp_close()"
and "sctp_sack()" in the stack trace.


        sctp_sack+0xcf(ffffff09c5b45928, 0)
        sctp_recvd+0xe8(ffffff09c5b45928, 19000)
        sosctp_close+0x4c(ffffff05727bcc90, 3, ffffff01d9151608)
        socket_close_internal+0x3a(ffffff05727bcc90, 3, ffffff01d9151608)
        socket_vop_close+0xf2(ffffff01dfa56800, 3, 1, 0, ffffff01d9151608, 0)
        fop_close+0x71(ffffff01dfa56800, 3, 1, 0, ffffff01d9151608, 0)
        closef+0x9e(ffffff01d7e157d8)
        closeandsetf+0x406(5, 0)
        close+0x18(5)
        sys_syscall32+0x1fc()


4. Workaround

There is no workaround to this issue. Please see the Resolution section below.


5. Resolution

This issue is addressed in the following releases:

SPARC Platform
  • OpenSolaris based upon builds snv_108 or later

x86 Platform
  • OpenSolaris based upon builds snv_108 or later



For more information on Security Sun Alerts, see










Attachments
This solution has no attachment