Note: This is an archival copy of Security Sun Alert 266228 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020861.1.
Article ID : 1020861.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2009-09-08
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in lx Branded Zones May Result in Denial of Service (DoS)

Category
Security

Release Phase
Resolved

Bug Id
6818191

Product
Solaris 10 Operating System
OpenSolaris

Date of Resolved Release
09-Sep-2009

Security Vulnerability in lx Branded Zones May Result in Denial of Service (DoS)

1. Impact

A security vulnerability in lx branded zones may allow a a local unprivileged user to panic a Solaris x86 Intel-based system running in 64-bit mode, which is a type of Denial of Service (DoS).

2. Contributing Factors

This issue can occur in the following releases:

x86 Platform
  • Solaris 10 with patch 120012-14 and without patch 141415-10
  • OpenSolaris based upon builds snv_49 through snv_117
Notes:

1. Solaris 8 and 9 and Solaris on the SPARC platform are not impacted by this issue

2. This issue only affects Intel-based systems running in 64 bit mode. amd64 machines are not impacted by this issue. To determine if a system is Intel-based, the following command can be run:
$ psrinfo -vp
x86 (GenuineIntel 10676 family 6 model 23 step 6 clock 3166 MHz)
Intel(r) Core(tm)2 Duo CPU     E8500  @ 3.16GHz
To determine if a system is running in 64 bit mode, the following command can be run:
$ isainfo -b
64
3. This issue only affects systems which have installed and configured an lx branded zone. To display the list of all running zones on the system the zoneadm(1M) command can be used as follows:
$ zoneadm list -v
ID NAME             STATUS         PATH                  BRAND   IP
0 global           running        /                     native  shared
1 lx-zone          running        /zones/lx-zone        lx      shared
4. OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. The base build can be derived as follows:
$ uname -v
snv_86
3. Symptoms

Should the described issue occur, the system will panic with output similar to the following:
panic[cpu0]/thread=ffffff02e58edac0:
BAD TRAP: type=8 (#df Double fault) rp=fffffffffbc36db0 addr=0
zsh:
#df Double fault
pid=4702, pc=0xfffffffffb852019, sp=0xffffff00104a0f60, eflags=0x10086
cr0: 8005003b<pg,wp,ne,et,ts,mp,pe> cr4: 6f8<xmme,fxsr,pge,mce,pae,pse,de>
cr2: ffffff00104a0f58
cr3: 1efe18000
cr8: c
         rdi:         fec44480 rsi:         fedb2a00 rdx:         febc18f5
         rcx:               4b  r8: fffffffffbc4db30  r9: ffffff02d4569580
         rax:       3fb28f5b30 rbx:         fec40000 rbp: ffffff00104a1050
         r10: fecff3db2a00ffff r11: ffffff02e58edac0 r12:                0
         r13:                0 r14: ffffff02eb2db1e0 r15:       3fb28f5b30
         fsb:                0 gsb: fffffffffbc2dff0  ds:               4b
          es:               4b  fs:                0  gs:              1c3
         trp:                8 err:                0 rip: fffffffffb852019
          cs:               30 rfl:            10086 rsp: ffffff00104a0f60
          ss:               38
tss.tss_rsp0:   0xffffff00104a6000
tss.tss_rsp1:   0x0
tss.tss_rsp2:   0x0
tss.tss_ist1:   0xfffffffffbc36ea0
tss.tss_ist2:   0x0
tss.tss_ist3:   0x0
tss.tss_ist4:   0x0
tss.tss_ist5:   0x0
tss.tss_ist6:   0x0
tss.tss_ist7:   0x0
fffffffffbc36c90 unix:die+10f ()
fffffffffbc36da0 unix:trap+152c ()
ffffff00104a1050 unix:bcopy_ck_size+73d8 ()
ffffff00104a1140 unix:cmntrap+c5 ()
ffffff00104a1230 unix:cmntrap+c5 ()
...
4. Workaround

There is no workaround for this issue. Please see the Resolution section below.

5. Resolution

This issue is addressed in the following releases:

x86 Platform
  • Solaris 10 with patch 141415-10 or later
  • OpenSolaris based upon builds snv_118 or later
For more information on Security Sun Alerts, see 1009886.1.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

References

141415-10





Attachments
This solution has no attachment