-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Sun Solaris aio_suspend() Kernel Integer Overflow Vulnerability Advisory ID: TKADV2009-001 Revision: 1.1 Release Date: 2009/01/08 Last Modified: 2009/02/15 Date Reported: 2008/09/15 Author: Tobias Klein (tk at trapkit.de) Affected Software: Solaris 8 without patch 117350-59 (SPARC) Solaris 9 without patch 138577-01 (SPARC) Solaris 10 without patch 121394-02 (SPARC) Solaris 8 without patch 117351-59 (x86) Solaris 9 without patch 138578-01 (x86) Solaris 10 without patch 121395-02 (x86) OpenSolaris < build TBC (SPARC and x86) Remotely Exploitable: No Locally Exploitable: Yes Vendor URL: http://www.sun.com/ Vendor Status: Vendor has released an updated version CVE-ID: CVE-2009-0132 Patch development time: 115 days ====================== Vulnerability Details: ====================== The kernel of Solaris contains a vulnerability in the code that handles SYS_kaio syscall requests on systems in 32 bit mode. Exploitation of this vulnerability can result in local denial of service attacks (system crash due to a kernel panic). As all Solaris Zones (Containers) share the same kernel it is possible to crash the whole system (all Zones) even if the vulnerability is triggered in an unprivileged non-global zone. This kernel vulnerability can be exploited by an unprivileged local user. ================== Technical Details: ================== The following source code references are based on the kernel source code available from http://www.opensolaris.org. Source code file: /uts/common/os/aio.c [..] 221 static int64_t 222 kaioc( 223 long a0, 224 long a1, 225 long a2, 226 long a3, 227 long a4, 228 long a5) 229 { 230 int error; 231 long rval = 0; 232 233 switch ((int)a0 & ~AIO_POLL_BIT) { ... 266 case AIOSUSPEND: 267 [1] error = aiosuspend((void *)a1, (int)a2, (timespec_t *)a3, 268 (int)a4, &rval, AIO_64); 269 break; [..] [1] The parameters "a1", "a2", "a3" and "a4" of the "aiosuspend()" function are user controlled. Source code file: /uts/common/os/aio.c [..] 897 static int 898 aiosuspend( 899 void *aiocb, 900 int nent, 901 struct timespec *timout, 902 int flag, 903 long *rval, 904 int run_mode) 905 { ... 925 aiop = curproc->p_aio; 926 [2] if (aiop == NULL || nent <= 0) 927 return (EINVAL); ... 951 if (model == DATAMODEL_NATIVE) 952 [3] ssize = (sizeof (aiocb_t *) * nent); 953 #ifdef _SYSCALL32_IMPL 954 else 955 [3] ssize = (sizeof (caddr32_t) * nent); 956 #endif /* _SYSCALL32_IMPL */ 957 958 [4] cbplist = kmem_alloc(ssize, KM_NOSLEEP); [..] [2] As "nent" is controlled by the user this check can be passed if "nent" > 0. [3] The value of "ssize" is calculated using the user controlled value of "nent". By supplying a value of 0x3fffffff for "nent" an integer overflow will happen that results in "ssize" = 0x00000000. The "kmem_alloc()" function is now called with a length value of 0x00000000 (see [4]). The "kmem_alloc()" function itself calls "vmem_alloc()" with a "size" value of 0x00000000 which calls "vmem_xalloc()" with the same "size" value. Source code file: /lib/libumem/common/vmem.c [..] 815 void * 816 vmem_xalloc(vmem_t *vmp, size_t size, size_t align, size_t phase, 817 size_t nocross, void *minaddr, void *maxaddr, int vmflag) 818 { ... 934 [6] if (size == 0) 935 umem_panic("vmem_xalloc(): size == 0"); [..] [6] If a "size" value of 0x00000000 is supplied to the "vmem_xalloc()" function the kernel panics. This leads to a system crash (denial of service). ========= Solution: ========= This issue is addressed in the following patch releases from Sun: SPARC Platform - Solaris 8 with patch 117350-59 or later - Solaris 9 with patch 138577-01 or later - Solaris 10 with patch 121394-02 or later - OpenSolaris build TBC x86 Platform - Solaris 8 with patch 117351-59 or later - Solaris 9 with patch 138578-01 or later - Solaris 10 with patch 121395-02 or later - Opensolaris build TBC ======== History: ======== 2008/09/15 - Vendor notified 2008/09/16 - Vendor confirms the vulnerability 2009/01/08 - Public disclosure of vulnerability details by Sun 2009/01/08 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://sunsolve.sun.com/search/document.do?assetkey=1-66-247986-1 [2] http://www.trapkit.de/advisories/TKADV2009-001.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release Revision 1.1 - CVE-ID added =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2009 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Charset: utf-8 wj8DBQFJmBr9kXxgcAIbhEERAk8mAJ9nXnGZTQdTfHKrxhZ1VcIP8+1cswCeLsy5 Q5gqtzp0kdU4nHnIHJABSs4= =++IV -----END PGP SIGNATURE-----