-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Oracle Solaris UCODE_GET_VERSION IOCTL Kernel NULL Pointer Dereference Advisory ID: TKADV2010-001 Revision: 1.0 Release Date: 2010/01/31 Last Modified: 2010/01/31 Date Reported: 2009/11/29 Author: Tobias Klein (tk at trapkit.de) Affected Software: Solaris 10 with 127128-11 and w/o 143913-01 (x86) OpenSolaris build snv_69 through snv_133 (x86) Remotely Exploitable: No Locally Exploitable: Yes Vendor URL: http://www.oracle.com, http://www.sun.com/ Vendor Status: Vendor has released an updated version Patch development time: 61 days CVE-ID: CVE-2010-0453 ====================== Vulnerability Details: ====================== The kernel of Oracle Solaris contains a vulnerability in the code that handles UCODE_GET_VERSION IOCTL requests. The vulnerability allows a local unprivileged user the ability to panic a Solaris x86 Intel-based system (32-bit/64-bit mode) due to a NULL pointer dereference. The ability to panic a system is a type of Denial of Service (DoS). The issue can be triggered by sending a specially crafted IOCTL request to the kernel. ================== Technical Details: ================== The following source code references are based on the kernel source code available from http://www.opensolaris.org. intel/io/ucode_drv.c: [..] static int ucode_ioctl(dev_t dev, int cmd, intptr_t arg, int mode, cred_t *cr, int *rval) { .. switch (cmd) { case UCODE_GET_VERSION: { int size; uint32_t *revp, *rev_array; ucode_errno_t rc = EM_OK; STRUCT_DECL(ucode_get_rev_struct, h); STRUCT_INIT(h, mode); [1] if (ddi_copyin((void *)arg, STRUCT_BUF(h), STRUCT_SIZE(h), mode)) return (EFAULT); [2] if ((size = STRUCT_FGET(h, ugv_size)) > NCPU) return (EINVAL); if ((rev_array = STRUCT_FGETP(h, ugv_rev)) == NULL) return (EINVAL); size *= sizeof (uint32_t); [3] revp = kmem_zalloc(size, KM_SLEEP); if (ddi_copyin((void *)rev_array, revp, size, mode) != 0) { kmem_free(revp, size); return (EINVAL); } [4] rc = ucode_get_rev(revp); [..] [1] The struct 'h' is filled with user controlled IOCTL input data. [2] The value of 'size' derives from user controlled data. [3] If 'size' has a value of 0, kmem_zalloc() will return NULL. This results in revp pointing to NULL. [4] 'revp' is used as a function parameter for ucode_get_rev(). i86pc/os/microcode.c: [..] /* * Returns microcode revision from the machcpu structure. */ ucode_errno_t ucode_get_rev(uint32_t *revp) { int i; ASSERT(ucode); ASSERT(revp); if (!ucode->capable(CPU)) return (EM_NOTSUP); mutex_enter(&cpu_lock); for (i = 0; i < max_ncpus; i++) { cpu_t *cpu; if ((cpu = cpu_get(i)) == NULL) continue; [5] revp[i] = cpu->cpu_m.mcpu_ucode_info->cui_rev; [..] [5] This assignment leads to a NULL pointer dereference as 'revp == NULL'. ========= Solution: ========= This issue is addressed in the following patch releases from Oracle/Sun: x86 Platform - Solaris 10 with patch 143913-01 or later - OpenSolaris based upon builds snv_134 or later ==================== Disclosure Timeline: ==================== 2009/11/29 - Initial vendor notification 2009/11/30 - Oracle/Sun confirms the vulnerability 2010/01/08 - Status update by Oracle/Sun 2010/01/25 - Status update by Oracle/Sun 2010/01/29 - Patch 143913-01 released for Solaris 10 2010/01/31 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [REF1] http://sunsolve.sun.com/search/document.do?assetkey=1-21-143913-01-1 [REF2] http://www.trapkit.de/advisories/TKADV2010-001.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2010 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Charset: utf-8 wj8DBQFLZVx1kXxgcAIbhEERAk3LAJ44NNQKGUbHu1AIHcZWpysW0cQ7HQCg9DcX 7rqrkip5hSx+zx3PfcqzOOk= =CWdo -----END PGP SIGNATURE-----