Oracle Solaris UCODE_GET_VERSION IOCTL Kernel NULL Pointer Deref

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Advisory:               Oracle Solaris UCODE_GET_VERSION IOCTL Kernel NULL

Pointer Dereference

Advisory ID:            TKADV2010-001

Revision:               1.0

Release Date:           2010/01/31

Last Modified:          2010/01/31

Date Reported:          2009/11/29

Author:                 Tobias Klein (tk at trapkit.de)

Affected Software:      Solaris 10 with 127128-11 and w/o 143913-01 (x86)

OpenSolaris build snv_69 through snv_133 (x86)

Remotely Exploitable:   No

Locally Exploitable:    Yes

Vendor URL:             http://www.oracle.com, http://www.sun.com/

Vendor Status:          Vendor has released an updated version

Patch development time: 61 days

CVE-ID:                 CVE-2010-0453

======================

Vulnerability Details:

======================

The kernel of Oracle Solaris contains a vulnerability in the code that

handles UCODE_GET_VERSION IOCTL requests.

The vulnerability allows a local unprivileged user the ability to panic a

Solaris x86 Intel-based system (32-bit/64-bit mode) due to a NULL pointer

dereference. The ability to panic a system is a type of Denial of Service

(DoS).

The issue can be triggered by sending a specially crafted IOCTL request to

the kernel.

==================

Technical Details:

==================

The following source code references are based on the kernel source code

available from http://www.opensolaris.org.

intel/io/ucode_drv.c:

[..]

static int

ucode_ioctl(dev_t dev, int cmd, intptr_t arg, int mode, cred_t *cr, int

*rval)

{

..

switch (cmd) {

case UCODE_GET_VERSION: {

int size;

uint32_t *revp, *rev_array;

ucode_errno_t rc = EM_OK;

STRUCT_DECL(ucode_get_rev_struct, h);

STRUCT_INIT(h, mode);

[1] if (ddi_copyin((void *)arg,

STRUCT_BUF(h), STRUCT_SIZE(h), mode))

return (EFAULT);

[2] if ((size = STRUCT_FGET(h, ugv_size)) > NCPU)

return (EINVAL);

if ((rev_array = STRUCT_FGETP(h, ugv_rev)) == NULL)

return (EINVAL);

size *= sizeof (uint32_t);

[3] revp = kmem_zalloc(size, KM_SLEEP);

if (ddi_copyin((void *)rev_array, revp, size, mode) != 0) {

kmem_free(revp, size);

return (EINVAL);

}

[4] rc = ucode_get_rev(revp);

[..]

[1] The struct 'h' is filled with user controlled IOCTL input data.

[2] The value of 'size' derives from user controlled data.

[3] If 'size' has a value of 0, kmem_zalloc() will return NULL. This

results in revp pointing to NULL.

[4] 'revp' is used as a function parameter for ucode_get_rev().

i86pc/os/microcode.c:

[..]

/*

* Returns microcode revision from the machcpu structure.

*/

ucode_errno_t

ucode_get_rev(uint32_t *revp)

{

int i;

ASSERT(ucode);

ASSERT(revp);

if (!ucode->capable(CPU))

return (EM_NOTSUP);

mutex_enter(&cpu_lock);

for (i = 0; i < max_ncpus; i++) {

cpu_t *cpu;

if ((cpu = cpu_get(i)) == NULL)

continue;

[5] revp[i] = cpu->cpu_m.mcpu_ucode_info->cui_rev;

[..]

[5] This assignment leads to a NULL pointer dereference as 'revp == NULL'.

=========

Solution:

=========

This issue is addressed in the following patch releases from Oracle/Sun:

x86 Platform

- Solaris 10 with patch 143913-01 or later

- OpenSolaris based upon builds snv_134 or later

====================

Disclosure Timeline:

====================

2009/11/29 - Initial vendor notification

2009/11/30 - Oracle/Sun confirms the vulnerability

2010/01/08 - Status update by Oracle/Sun

2010/01/25 - Status update by Oracle/Sun

2010/01/29 - Patch 143913-01 released for Solaris 10

2010/01/31 - Release date of this security advisory

========

Credits:

========

Vulnerability found and advisory written by Tobias Klein.

===========

References:

===========

[REF1] http://sunsolve.sun.com/search/document.do?assetkey=1-21-143913-01-1

[REF2] http://www.trapkit.de/advisories/TKADV2010-001.txt

========

Changes:

========

Revision 0.1 - Initial draft release to the vendor

Revision 1.0 - Public release

===========

Disclaimer:

===========

The information within this advisory may change without notice. Use

of this information constitutes acceptance for use in an AS IS

condition. There are no warranties, implied or express, with regard

to this information. In no event shall the author be liable for any

direct or indirect damages whatsoever arising out of or in connection

with the use or spread of this information. Any use of this

information is at the user's own risk.

==================

PGP Signature Key:

==================

http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

Copyright 2010 Tobias Klein. All rights reserved.

-----BEGIN PGP SIGNATURE-----

Version: PGP

Charset: utf-8

wj8DBQFLZVx1kXxgcAIbhEERAk3LAJ44NNQKGUbHu1AIHcZWpysW0cQ7HQCg9DcX

7rqrkip5hSx+zx3PfcqzOOk=

=CWdo

-----END PGP SIGNATURE-----