A security vulnerability in the Solaris file system driver for hsfs(7FS) file systems may allow local unprivileged users the ability to panic the system, creating a Denial of Service (DoS) condition, and/or execute arbitrary code with elevated privileges.

This issue can occur in the following releases:

SPARC Platform

• Solaris 8 without patch 109764-06
• Solaris 9 without patch 116047-03
• Solaris 10 without patch 119596-03

x86 Platform

• Solaris 8 without patch 109765-06
• Solaris 9 without patch 121995-01
• Solaris 10 without patch 118813-03

If the described issue occurs, the system will panic with BAD TRAPs at various locations in the hsfs(7FS) module. There are many potential stack traces, but the most frequent panic has a stack trace similar to the following:

    <trap>genunix:segmap_getmapflt+0x30([ ... ])
    genunix:fbread+0x60([ ... ])
    hsfs:hs_dirlook+0x1e0()
    hsfs:hsfs_lookup([ ... ])
    genunix:lookuppnvp+0x2ac([ ... ])
    genunix:lookuppnat+0x124([ ... ])
    genunix:lookupnameat+0xb0([ ... ])
    genunix:lookupname([ ... ])
    genunix:chdir+0x14([ ... ])
    unix:syscall_trap32+0xa8()

Note: The above example is only one of several failure modes (the most pervasive)that may be seen.

To work around the described issue, sites may choose to disable the use of CDROM media by removing the references to the hsfs(7FS) file system from "/etc/vold.conf" and commenting out the lines in "/etc/rmmount.conf" referring to the hsfs(7FS) file system.

To identify the references to the hsfs(7FS) file system, the following command can be run:

    $ grep hsfs /etc/vold.conf /etc/rmmount.conf
    /etc/vold.conf:unsafe ufs hsfs pcfs udfs
    /etc/rmmount.conf:ident hsfs ident_hsfs.so cdrom
    /etc/rmmount.conf:mount * hsfs udfs ufs -o nosuid

To disallow CDROM access for unprivileged users, do the following:

Replace the lines:

    /etc/vold.conf:unsafe ufs hsfs pcfs udfs
    /etc/rmmount.conf:ident hsfs ident_hsfs.so cdrom
    /etc/rmmount.conf:mount * hsfs udfs ufs -o nosuid

With:

    /etc/vold.conf:unsafe ufs pcfs udfs
    /etc/rmmount.conf:#ident hsfs ident_hsfs.so cdrom
    /etc/rmmount.conf:#mount * hsfs udfs ufs -o nosuid

Note: The example shown above is on an unmodified Solaris 9 system.

This issue is addressed in the following releases:

SPARC platform

• Solaris 8 with patch 109764-06 or later
• Solaris 9 with patch 116047-03 or later
• Solaris 10 with patch 119596-03 or later

x86 Platform

• Solaris 8 with patch 109765-06 or later
• Solaris 9 with patch 121995-01 or later
• Solaris 10 with patch 118813-03 or later

This solution has no attachment