-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Advisory: Oracle Solaris UCODE_GET_VERSION IOCTL Kernel NULL
Pointer Dereference
Advisory ID: TKADV2010-001
Revision: 1.0
Release Date: 2010/01/31
Last Modified: 2010/01/31
Date Reported: 2009/11/29
Author: Tobias Klein (tk at trapkit.de)
Affected Software: Solaris 10 with 127128-11 and w/o 143913-01 (x86)
OpenSolaris build snv_69 through snv_133 (x86)
Remotely Exploitable: No
Locally Exploitable: Yes
Vendor URL: http://www.oracle.com, http://www.sun.com/
Vendor Status: Vendor has released an updated version
Patch development time: 61 days
CVE-ID: CVE-2010-0453
======================
Vulnerability Details:
======================
The kernel of Oracle Solaris contains a vulnerability in the code that
handles UCODE_GET_VERSION IOCTL requests.
The vulnerability allows a local unprivileged user the ability to panic a
Solaris x86 Intel-based system (32-bit/64-bit mode) due to a NULL pointer
dereference. The ability to panic a system is a type of Denial of Service
(DoS).
The issue can be triggered by sending a specially crafted IOCTL request to
the kernel.
==================
Technical Details:
==================
The following source code references are based on the kernel source code
available from http://www.opensolaris.org.
intel/io/ucode_drv.c:
[..]
static int
ucode_ioctl(dev_t dev, int cmd, intptr_t arg, int mode, cred_t *cr, int
*rval)
{
..
switch (cmd) {
case UCODE_GET_VERSION: {
int size;
uint32_t *revp, *rev_array;
ucode_errno_t rc = EM_OK;
STRUCT_DECL(ucode_get_rev_struct, h);
STRUCT_INIT(h, mode);
[1] if (ddi_copyin((void *)arg,
STRUCT_BUF(h), STRUCT_SIZE(h), mode))
return (EFAULT);
[2] if ((size = STRUCT_FGET(h, ugv_size)) > NCPU)
return (EINVAL);
if ((rev_array = STRUCT_FGETP(h, ugv_rev)) == NULL)
return (EINVAL);
size *= sizeof (uint32_t);
[3] revp = kmem_zalloc(size, KM_SLEEP);
if (ddi_copyin((void *)rev_array, revp, size, mode) != 0) {
kmem_free(revp, size);
return (EINVAL);
}
[4] rc = ucode_get_rev(revp);
[..]
[1] The struct 'h' is filled with user controlled IOCTL input data.
[2] The value of 'size' derives from user controlled data.
[3] If 'size' has a value of 0, kmem_zalloc() will return NULL. This
results in revp pointing to NULL.
[4] 'revp' is used as a function parameter for ucode_get_rev().
i86pc/os/microcode.c:
[..]
/*
* Returns microcode revision from the machcpu structure.
*/
ucode_errno_t
ucode_get_rev(uint32_t *revp)
{
int i;
ASSERT(ucode);
ASSERT(revp);
if (!ucode->capable(CPU))
return (EM_NOTSUP);
mutex_enter(&cpu_lock);
for (i = 0; i < max_ncpus; i++) {
cpu_t *cpu;
if ((cpu = cpu_get(i)) == NULL)
continue;
[5] revp[i] = cpu->cpu_m.mcpu_ucode_info->cui_rev;
[..]
[5] This assignment leads to a NULL pointer dereference as 'revp == NULL'.
=========
Solution:
=========
This issue is addressed in the following patch releases from Oracle/Sun:
x86 Platform
- Solaris 10 with patch 143913-01 or later
- OpenSolaris based upon builds snv_134 or later
====================
Disclosure Timeline:
====================
2009/11/29 - Initial vendor notification
2009/11/30 - Oracle/Sun confirms the vulnerability
2010/01/08 - Status update by Oracle/Sun
2010/01/25 - Status update by Oracle/Sun
2010/01/29 - Patch 143913-01 released for Solaris 10
2010/01/31 - Release date of this security advisory
========
Credits:
========
Vulnerability found and advisory written by Tobias Klein.
===========
References:
===========
[REF1] http://sunsolve.sun.com/search/document.do?assetkey=1-21-143913-01-1
[REF2] http://www.trapkit.de/advisories/TKADV2010-001.txt
========
Changes:
========
Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release
===========
Disclaimer:
===========
The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.
==================
PGP Signature Key:
==================
http://www.trapkit.de/advisories/tk-advisories-signature-key.asc
Copyright 2010 Tobias Klein. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP
Charset: utf-8
wj8DBQFLZVx1kXxgcAIbhEERAk3LAJ44NNQKGUbHu1AIHcZWpysW0cQ7HQCg9DcX
7rqrkip5hSx+zx3PfcqzOOk=
=CWdo
-----END PGP SIGNATURE-----