Note: This is an archival copy of Security Sun Alert 258828 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020456.1.
Article ID : 1020456.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2009-06-17
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Memory Leak in the Solaris Ultra-SPARC T2 crypto provider device driver (n2cp(7D)) may Result in Denial of Service (DoS) to the System as a Whole



Category
Security

Release Phase
Resolved

Bug Id
6784968

Product
Solaris 10 Operating System
OpenSolaris

Date of Resolved Release
18-Jun-2009

A memory leak in the Solaris Ultra-SPARC T2 crypto provider device driver (n2cp(7D)) may result in a Denial of Service (DoS) to the system as a whole:

1. Impact

A memory leak in the Solaris Ultra-SPARC T2 crypto provider device driver (n2cp(7D)) may allow a local or remote unprivileged user to cause Denial of Service (DoS) to the system as a whole.

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
  • Solaris 10 without patch 140386-03
  • OpenSolaris based upon builds snv_54 through snv_112
Note 1: Solaris 8 and Solaris 9 are not impacted by this issue. Solaris 10 and OpenSolaris on the x86 platform is also not impacted.

Note 2: OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. The base build can be derived as follows:
    $ uname -v
snv_101
This issue only impacts systems with UltraSPARC-T2 CPUs. To determine if a system contains this CPU, run the following command:
    $ prtdiag | grep UltraSPARC-T2
If a system is equipped with an UltraSPARC-T2 CPU the output of the above command will be similar to the following (output trimmed):
    0      1167 MHz  SUNW,UltraSPARC-T2     on-line  
1      1167 MHz  SUNW,UltraSPARC-T2     on-line 
...
62     1167 MHz  SUNW,UltraSPARC-T2     on-line 
63     1167 MHz  SUNW,UltraSPARC-T2     on-line
This issue can be exploited remotely only in cases where there are services running on the system that use Solaris Crypto Framework for MAC/HMAC processing. To determine if the n2cp driver on the system is used for such processing,  run the following command:
    $ kstat -m n2cp | grep mac
If any of  the counters are greater than zero then the driver is used for that number of computations.
3. Symptoms

If the described  issue occurs the kernel memory allocations may grow (which could be examined using a kernel debugger such as mdb(1)) and messages similar to the following may be displayed on the console:
n2cp: [ID 504468 kern.warning] WARNING: alloc_hmac_ctx: keylen(512) > maxlen(32)
The following command can be used to observe the context allocations:
    # echo '::kmastat ! grep n2cp_ctx_cache' | mdb -k
If the value in the 5th column (memory in use) increases over time then the issue described in this Sun Alert has occurred.

4. Workaround

To work around the described issue, disable n2cp driver to be used for HMAC processing using the following command:
  # /usr/sbin/cryptoadm disable provider=n2cp/0 
mechanism=CKM_MD5_HMAC,CKM_SHA_1_HMAC,CKM_SHA256_HMAC,CKM_MD5_HMAC_GENERAL,
CKM_SHA_1_HMAC_GENERAL,CKM_SHA256_HMAC_GENERAL,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC

Applying this work around may impact performance of MAC/HMAC processing. For example, slowing down SSL connection processing. This impact can be noticeable depending on the workload.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform
  • Solaris 10 with patch 140386-03 or later
  • OpenSolaris based upon builds snv_113 or later
For more information on Security Sun Alerts, see 1009886.1.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.


References

140386-03





Attachments
This solution has no attachment