Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-244: Solaris IP(7P) Module and STREAMS Framework Denial of Service Vulnerabilities

October 2, 2009 15:00 GMT
PROBLEM: Security Vulnerabilities in Solaris IP(7P) Module and STREAMS Framework May Lead to a Denial of Service (DoS) Condition.
PLATFORM: Solaris 8 Operating System Solaris 9 Operating System Solaris 10 Operating System OpenSolaris
ABSTRACT: Solaris IP(7P) module and STREAMS Framework may allow an unprivileged local user to leak kernel memory, eventually causing the system to hang.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-244.shtml
  OTHER LINKS: Security Tracker
http://securitytracker.com/alerts/2009/Sep/1022973.html

IMPACT ASSESSMENT: This risk is low. A local user can trigger memory leaks in the Solaris IP(7P) module and STREAMS Framework to cause the target system to hang. 
Discussion:
Security vulnerabilities in the Solaris IP(7P) module and STREAMS Framework may allow an unprivileged local user to leak kernel memory, eventually causing the system to hang. This is a type of Denial of Service (DoS).

Vulnerable:
SPARC Platform

* Solaris 8
* Solaris 9 without patch 122300-44
* Solaris 10 without patch 141414-09
* OpenSolaris based upon builds snv_01 though snv_108

x86 Platform

* Solaris 8
* Solaris 9 without patch 122301-44
* Solaris 10 without patch 141415-09
* OpenSolaris based upon builds snv_01 though snv_108

Symptoms:
1. If the described issue occurs, the following messages may be displayed on the system console or in the '/var/adm/messages' file:

sshd: [ID  auth.error] error: fork: Error 0
WARNING: /etc/svc/volatile: File system full, swap space limit exceeded
WARNING: Sorry, no swap space to grow stack for pid 
inetd: [ID  daemon.error] Unable to fork inetd_start method of instance
svc:/network/vnetd/tcp:default: Not enough space
Cannot map /lib/ld.so.1

2. A forced coredump generated from unresponsive systems which have the 'kmem_flags' variable set to 0xf in the '/etc/system' file (see system(4) for modifying this file) may show memory leaks in one of the streams_dblk_* memory caches, and also in the streams_mblk cache, with one of the following stacks:

kmem_cache_alloc+0x18c
allocb+0x94
allocb_cred+8
strmakedata+0xa0
strput+0x23c
strwrite_common+0x284
fop_write+0x20
write+0x268

kmem_cache_alloc+0x88
dblk_constructor+0x54
kmem_cache_alloc_debug+0x388
kmem_cache_alloc+0x88
allocb+0x4c
allocb_tryhard+0x1c
putnextctl1+0x30
ldterm_dosig+0x16c
ldtermrput+0x508
putnext+0x3f4
qdrain_syncq+0x368
drain_syncq+0x618
taskq_d_thread+0xbc

The following command can be run as "root" user to find memory leaks in the coredump files:

# echo ::findleaks -dv | /usr/bin/mdb -k unix.# vmcore.# > findleak.txt

(Where # is the current core dump number). Open findleak.txt to confirm the above stack trace.

Solution:
These issues are addressed in the following releases:

SPARC Platform

* Solaris 9 with patch 122300-44 or later
* Solaris 10 with patch 141414-09 or later
* OpenSolaris based upon builds snv_109 or later

x86 Platform

* Solaris 9 with patch 122301-44 or later
* Solaris 10 with patch 141415-09 or later
* OpenSolaris based upon builds snv_109 or later

A final resolution is pending completion for Solaris 8.
DOE-CIRC wishes to acknowledge the contributions of Sun Microsystems for the information contained in this bulletin.
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788