BUGTRAQ ID: 33188
CNCAN ID:CNCAN-2009011201
Sun Solaris是一款商业性质的服务器。
Sun Solaris 'aio_suspend()'存在整数溢出错误,本地攻击者可以利用漏洞对系统进行拒绝服务攻击。
问题存在于如下代码中:
/uts/common/os/aio.c
[..]
221 static int64_t
222 kaioc(
223 long a0,
224 long a1,
225 long a2,
226 long a3,
227 long a4,
228 long a5)
229 {
230 int error;
231 long rval = 0;
232
233 switch ((int)a0 & ~AIO_POLL_BIT) {
...
266 case AIOSUSPEND:
267 [1] error = aiosuspend((void *)a1, (int)a2, (timespec_t *)a3,
268 (int)a4, &rval, AIO_64);
269 break;
[..]
[1] "aiosuspend()"函数的参数"a1", "a2", "a3"和"a4"是用户可控。
/uts/common/os/aio.c
[..]
897 static int
898 aiosuspend(
899 void *aiocb,
900 int nent,
901 struct timespec *timout,
902 int flag,
903 long *rval,
904 int run_mode)
905 {
...
925 aiop = curproc->p_aio;
926 [2] if (aiop == NULL || nent <= 0)
927 return (EINVAL);
...
951 if (model == DATAMODEL_NATIVE)
952 [3] ssize = (sizeof (aiocb_t *) * nent);
953 #ifdef _SYSCALL32_IMPL
954 else
955 [3] ssize = (sizeof (caddr32_t) * nent);
956 #endif /* _SYSCALL32_IMPL */
957
958 [4] cbplist = kmem_alloc(ssize, KM_NOSLEEP);
[..]
[2] "nent"是可由用户控制,"nent" > 0判断可被绕过。
[3] "ssize"值使用用户控制的"nent"值进行计算. 提供0x3fffffff给"nent"可触发整数溢
出,导致"ssize" = 0x00000000. "kmem_alloc()"函数调用的长度值为0x00000000(see [4]),"kmem_alloc()"函数自身调用长度为0x00000000的"vmem_alloc()",它调用使用相同 "size"值的"vmem_xalloc()"函数。
/lib/libumem/common/vmem.c
[..]
815 void *
816 vmem_xalloc(vmem_t *vmp, size_t size, size_t align, size_t phase,
817 size_t nocross, void *minaddr, void *maxaddr, int vmflag)
818 {
...
934 [6] if (size == 0)
935 umem_panic("vmem_xalloc(): size == 0");
[..]
[6] 如果"size"值为0x00000000提供给"vmem_xalloc()"函数,可导致内核出现Panic,造成系统崩溃。
Sun Solaris 9_x86
Sun Solaris 9_sparc
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8
Sun Solaris 10_x86
Sun Solaris 10_sparc
Sun Solaris 10.0_x86
Sun Solaris 10.0
Sun Solaris 10
Sun OpenSolaris build snv_96
Sun OpenSolaris build snv_95
Sun OpenSolaris build snv_92
Sun OpenSolaris build snv_91
Sun OpenSolaris build snv_90
Sun OpenSolaris build snv_89
Sun OpenSolaris build snv_88
Sun OpenSolaris build snv_87
Sun OpenSolaris build snv_85
Sun OpenSolaris build snv_84
Sun OpenSolaris build snv_83
Sun OpenSolaris build snv_82
Sun OpenSolaris build snv_80
Sun OpenSolaris build snv_77
Sun OpenSolaris build snv_76
Sun OpenSolaris build snv_68
Sun OpenSolaris build snv_67
Sun OpenSolaris build snv_64
Sun OpenSolaris build snv_59
Sun OpenSolaris build snv_57
Sun OpenSolaris build snv_50
Sun OpenSolaris build snv_39
Sun OpenSolaris build snv_36
Sun OpenSolaris build snv_22
Sun OpenSolaris build snv_19
Sun OpenSolaris build snv_13
Sun OpenSolaris build snv_105
Sun OpenSolaris build snv_104
Sun OpenSolaris build snv_104
Sun OpenSolaris build snv_103
Sun OpenSolaris build snv_102
Sun OpenSolaris build snv_101
Sun OpenSolaris build snv_100
Sun OpenSolaris build snv_02
Sun OpenSolaris build snv_01
Sun OpenSolaris
可参考如下补丁:
Sun Solaris 10.0
Sun 121394-02
for SPARC
<a href=http://sunsolve.sun.com/pdownload.do?target=121394-02&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=121394-02&method=h</a>
Sun 121395-02
for x86
<a href=http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h</a>
Sun Solaris 10_sparc
Sun 121394-02
for SPARC
<a href=http://sunsolve.sun.com/pdownload.do?target=121394-02&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=121394-02&method=h</a>
Sun Solaris 10.0_x86
Sun 121395-02
for x86
<a href=http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h</a>
Sun Solaris 10_x86
Sun 121395-02
for x86
<a href=http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h</a>
Sun Solaris 8
Sun 117350-59
for SPARC
<a href=http://sunsolve.sun.com/pdownload.do?target=117350-59&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=117350-59&method=h</a>
Sun 117351-59
for x86
<a href=http://sunsolve.sun.com/pdownload.do?target=117351-59&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=117351-59&method=h</a>
Sun Solaris 10
Sun 121394-02
for SPARC
<a href=http://sunsolve.sun.com/pdownload.do?target=121394-02&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=121394-02&method=h</a>
Sun 121395-02
for x86
<a href=http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h</a>
Sun Solaris 9
Sun 138577-01
for SPARC
<a href=http://sunsolve.sun.com/pdownload.do?target=138577-01&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=138577-01&method=h</a>
Sun 138578-01
for x86
<a href=http://sunsolve.sun.com/pdownload.do?target=138578-01&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=138578-01&method=h</a>
Sun Solaris 9_x86
Sun 138578-01
for x86
<a href=http://sunsolve.sun.com/pdownload.do?target=138578-01&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=138578-01&method=h</a>
Sun Solaris 8_x86
Sun 117351-59
for x86
<a href=http://sunsolve.sun.com/pdownload.do?target=117351-59&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=117351-59&method=h</a>
暂无评论