Security vulnerabilities in the Solaris event port API may allow a local unprivileged user the ability to run an application which uses the API in such a way as to cause the system to panic, leading to a Denial of Service (DoS) condition.

The Apache server is an example of an application that makes use of the event port API. On a system running Apache2 (Apache/2.2.0) it may be possible for a remote unprivileged user to cause that system to panic, resulting in a Denial of Service (DoS) condition.

This issue can occur in the following releases:

SPARC Platform

• Solaris 10 without patch 118833-12

x86 Platform

• Solaris 10 without patch 118855-10

Note 1: Solaris 8 and Solaris 9 are not affected by this issue.

Note 2: The Apache 2 web server that is distributed with Solaris 10 in packages SUNWapch2d and SUNWapch2u is not affected by this issue.

To determine if apache is using event port API, the following command can be used:

    # pfiles <httpd pid> | grep S_IFPORT
    14: S_IFPORT mode:0000 dev:301,0 uid:1 gid:12 size:0

Note: <httpd pid> refers to the process id of the apache process.

The above example indicates that the apache process has create an event port, hence this version of apache is vulnerable.

The above command will produce no output on an unaffected system.

If the described issue occurs, the system will panic with a panic stack trace similar to one of the following:

    <trap>genunix:list_remove+0xb()
    genunix:port_remove_done_event+0x4b()
    portfs:port_associate_fd+0x2b8()
    portfs:portfs+0x303()
    portfs:portfs32+0x24()
    unix:_syscall32_save+0xad()

    die+78()
    genunix:port_remove_event_doneq+8()
    genunix:port_remove_fd_object+7c()
    genunix:port_close_pfd+20()
    genunix:___const_seg_900000101+8874()
    genunix:closeandsetf+374()
    genunix:close+8()

    mutex_enter+4()
    port_close_fd+0x6c()
    closeandsetf+0x374()
    close+8()
    syscall_trap+0xac()

    die+0x78()
    trap+0x8f0()
    ktl0+0x48()
    port_close_pfd+0x2c()
    port_close_fd+0x6c()
    closeandsetf+0x374()
    close+8()
    syscall_trap+0xac()

    vpanic()
    turnstile_block+0x61c()
    mutex_vector_enter+0x424()
    port_close_pfd+0x2c()
    port_close_fd+0x6c()
    closeandsetf+0x374()
    close+8()
    syscall_trap+0xac()

There is no workaround. Please see the "Resolution" section below.

This issue is addressed in the following releases:

SPARC Platform

• Solaris 10 with patch 118833-12 or later

x86 Platform

• Solaris 10 with patch 118855-10 or later

This solution has no attachment