===================================================================== CERT-Renater Note d'Information No. 2007/VULN050 _____________________________________________________________________ DATE : 15/02/2007 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Solaris 10. ====================================================================== http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102796-1 http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102554-1 http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102551-1 ---------------------------------------------------------------------- Sun(sm) Alert Notification * Sun Alert ID: 102796 * Synopsis: A Security Vulnerability in the TCP Implementation of Solaris 10 Systems May Result in a System Panic Under High TCP/IP Traffic * Category: Security * Product: Solaris 10 Operating System * BugIDs: 6404207 * Avoidance: Patch * State: Resolved * Date Released: 13-Feb-2007 * Date Closed: 13-Feb-2007 * Date Modified: 1. Impact A remote priviledged or unpriviledged user may be able to trigger a race condition in the TCP subsystem which can result in a system panic. The ability to panic a system is a type of Denial of Service (DoS). 2. Contributing Factors This issue can occur in the following releases: SPARC Platform * Solaris 10 without patch 119998-01 x86 Platform * Solaris 10 without patch 119999-01 Note: Solaris 8 and 9 are not impacted by this issue. 3. Symptoms One of the following stack traces are seen: ------ tcp_clean_death+0xb8() tcp_rput_data+0x1284() squeue_enter_chain+0x90() ip_input+0x824() putnext+0x218() ce_drain_fifo+0x52e4() thread_start+4() -------- -------- tcp_drop_q0+0x120() tcp_conn_request+0x108() squeue_drain+0x134() squeue_enter_chain+0x350() ip_input+0x824() putnext+0x218() ce_drain_fifo+0x52e4() thread_start+4() ------ 4. Relief/Workaround There is no workaround. Please see the "Resolution" section below. 5. Resolution SPARC Platform * Solaris 10 with patch 119998-01 or later x86 Platform * Solaris 10 with patch 119999-01 or later This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved --------------------------------------------------------------------------- Sun(sm) Alert Notification * Sun Alert ID: 102554 * Synopsis: On Solaris 10 Possible System Panics with a "Bad Trap" from the drain_squeue() Function Under High Stress * Category: Availability * Product: Solaris 10 Operating System * BugIDs: 6266950 * Avoidance: Patch * State: Resolved * Date Released: 09-Aug-2006, 13-Feb-2007 * Date Closed: 13-Feb-2007 * Date Modified: 19-Jan-2007, 13-Feb-2007 1. Impact System panics in drain_squeue() TCP/IP function under heavy stress. The following Sun Alerts describe TCP/IP issues for the new SPARC systems which use CMT processors. * Sun Alert ID: 102551 * Sun Alert ID: 102553 * Sun Alert ID: 102554 2. Contributing Factors This issue can occur in the following releases: SPARC Platform * Solaris 10 without patch 119998-01 x86 Platform * Solaris 10 without patch 119999-01 Notes: Solaris 8 and 9 are not impacted by this issue. Extremely heavy TCP/IP loads with many tens of thousands of rapidly opening/closing TCP connections. CMT processors (Chip Multi-Threading technology) are more likely to sustain the throughput required, while still being able to context switch rapidly enough to reproduce this. It is highly unlikely that this issue will be seen on other systems. There are two classes of system using CMT processors. These can be identified using the following commands: a) Systems with Sun4v kernel architecture use CMT processors. These are identified by the command: % uname -m which will return "sun4v". b) UltraSPARC IV and UltraSPARC IV+ systems use CMT processors. These are identified by the command: % prtconf -pv | grep "SUNW,UltraSPARC-IV" which will return a non-NULL result something similar to: compatible: 'SUNW,UltraSPARC-IV' 3. Symptoms The following panic string and stack trace is representative of this issue: BAD TRAP: type=31 rp=2a17492b380 addr=1c mmu_fsr=0 occurred in module "ip" due to a NULL pointer dereference ip:squeue_drain+0x114(0x6000192d300, 0x10) ip:squeue_enter+0x34c() ip:tcp_wput(0x30011b6cbe0, 0x60023c83780) - frame recycled unix:putnext+0x218(0x30011b6ce70, 0x60023c83780?) genunix:strput+0x1b4(0x300143f46b8, 0x60023c83780, 0x0, 0x2a17492b918, 0x0, 0x0) genunix:kstrputmsg+0x328(0x60008790780, , 0x0, 0x0, 0x0, 0x2c4, 0x0) sockfs:sotpi_setsockopt+0x58c(0x3001445ebf0, 0x121c2113, 0x6c3e4fdd, 0x2a17492bac8, 0xc) sockfs:setsockopt+0xc0() unix:syscall_trap+0xac() -- switch to user thread's user stack -- Please be aware that athough this stacktrace does not match the stacktrace in the bug report for bug 6266950, it is the same issue. The stacktrace in the bug report illustrated this same problem when running an IP module compiled with DEBUG turned on. 4. Relief/Workaround There is no workaround. Please see Resolution section below. 5. Resolution This issue is addressed in the following releases: SPARC Platform * Solaris 10 with patch 119998-01 or later x86 Platform * Solaris 10 with patch 119999-02 or later Change History 19-Jan-2007: * Updated Relief/Workaround with temporary patches 13-Feb-2007: * Updated Contributing Factors, Relief/Workaround and Resolution sections * State: Resolved This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved ---------------------------------------------------------------------- Sun(sm) Alert Notification * Sun Alert ID: 102551 * Synopsis: Solaris 10 System Panics May be Seen Under High TCP/IP Stress Due to Race Conditions While Closing TCP Instances * Category: Availability * Product: Solaris 10 Operating System * BugIDs: 6404207 * Avoidance: Patch * State: Resolved * Date Released: 09-Aug-2006, 13-Feb-2007 * Date Closed: 13-Feb-2007 * Date Modified: 19-Jan-2007, 13-Feb-2007 1. Impact Systems may experience a race condition in the tcp_close() function which will result in a system panic. The following Sun Alerts describe TCP/IP issues for the new SPARC systems which use CMT processors. * Sun Alert ID: 102551 * Sun Alert ID: 102553 * Sun Alert ID: 102554 2. Contributing Factors This issue can occur in the following releases: SPARC Platform * Solaris 10 without patch 119998-01 x86 Platform * Solaris 10 without patch 119999-02 Notes: Solaris 8 and 9 are not impacted by this issue. Extremely heavy TCP/IP loads with many tens of thousands of rapidly opening/closing TCP connections. CMT processors (Chip Multi-Threading technology) are more likely to sustain the throughput required, while still being able to context switch rapidly enough to reproduce this. It is highly unlikely that this issue will be seen on other systems. There are two classes of system using CMT processors. These can be identified using the following commands: a) Systems with Sun4v kernel architecture use CMT processors. These are identified by the command: % uname -m which will return "sun4v". b) UltraSPARC IV and UltraSPARC IV+ systems use CMT processors. These are identified by the command: % prtconf -pv | grep "SUNW,UltraSPARC-IV" which will return a non-NULL result something similar to: compatible: 'SUNW,UltraSPARC-IV'. 3. Symptoms Several symptoms are seen when threads race to close/free a TCP eager. a) A panic string and stacktrace similar to the following: BAD TRAP: type=31 rp=2a104df53f0 addr=0 mmu_fsr=0 occurred in module "unix" due to a NULL pointer dereference atomic_add_int_nv+0x0(0x0, 0xffffffffffffffff) crfree+0xc(0x0, , 0x0, 0x3000aad3a88, 0x3000134e000) tcp_close+0x144(0x6002df0cb48, 0x3, 0x600362c2318) qdetach+0x90(0x6002df0cb48, 0x1, 0x3, 0x600362c2318, 0x0) strclose+0x3c0(0x30015add440, 0x3, 0x600362c2318) socktpi_close+0x158(0x30015add440, 0x3, 0x1, 0x0, 0x600362c2318) fop_close+0x20(0x30015add440, 0x3, 0x1, 0x0, 0x600362c2318) closef+0x4c(0x60013c19f80) closeandsetf+0x37c(0x7, 0x0) close+0x8(, 0xff233244, 0xc6000, 0xd2fc8, 0x5449fd11, 0x0) syscall_trap32+0xcc() b) A panic string and one of the two following stacktraces: panic string: CONN_DEC_REF: connp(60024197840) has ref = 0 ------ panicsys+0x48(0x13b37d8, 0x2a100ba19d0, 0x1844e20, 0x1, ... vpanic_common+0x78(0x13b37d8, 0x2a100ba19d0, ... cmn_err+0x98(0x3, 0x13b37d8, 0x60024197840, ... squeue_drain+0x2e0(0x60001935480, 0x2, 0x3a7a, , , 0x3a79) squeue_worker+0x88(0x60001935480, 0x0) thread_start+0x4() ------ ------ panicsys+0x48(0x1076058, 0x2a1113775c8, 0x1844c20, ... vpanic_common+0x78(0x1076058, 0x2a1113775c8, ... panic+0x1c(0x1076058, 0x181c430, 0x3002d9ad1e0, ... mutex_enter(0x3002d9ad1e0) ... tcp_close+0x84(0x313c64a4ff8, ... qdetach+0x90(0x313c64a4ff8, 0x1, ... strclose+0x3c0(0x3005c8ab1c0, 0x3, ... socktpi_close+0xe4(0x3005c8ab1c0, ... fop_close+0x20(0x3005c8ab1c0, 0x3, ... closef+0x4c(0x313bfc555e0) closeandsetf+0x37c(0x7, 0x0) close+0x8(, 0xff233244, 0xc7400... syscall_trap32+0xcc() ------ 4. Relief/Workaround There is no workaround. Please see Resolution section below. 5. Resolution This issue is addressed in the following releases: SPARC Platform * Solaris 10 with patch 119998-01 or later x86 Platform * Solaris 10 with patch 119999-02 or later Change History 19-Jan-2007: * Updated Relief/Workaround section with Temporary patches 13-Feb-2007: * Removed CR 102551 which is addressed in Sun Alert 102796 * Updated Contributing Factors, Relief/Workaround and Resolutions sections * State: Resolved This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================