A security vulnerability in the Human Interface Device (HID) class driver for Solaris 8, 9 and 10 may allow a local unprivileged user to panic the system, causing a Denial of Service (DoS).

This issue can occur in the following releases:

SPARC Platform

• Solaris 8 without patch 109896-35
• Solaris 9 without patch 115553-28
• Solaris 10 without patch 125123-01

x86 Platform

• Solaris 9 without patch 115554-24
• Solaris 10 without patch 125124-01

Notes:

1. Solaris 8 on the x86 platform is not affected by this issue.
2. Systems are only impacted by this issue if the HID module is loaded. This happens as soon as you plugin a USB HID class device to the host. USB keyboard, mouse, etc fall into this category.

To determine if the HID module is loaded, the following command can be run:

    $ modinfo | grep hid
    84  138cc18   36d8  54   1  hid (USB HID Client Driver 1.36)
    85  138f938   32e8   -   1  hidparser (HID PARSER 1.13)

A system panic due to this issue will contain a stack trace similar to the following:

    freemsg+0x46()
    hid_qreply_merror+0x44()
    hid_wput+0x19f()
    putnext+0x31a()
    usbms_wput+0xc3()
    putnext+0x31a()
    consmslwserv+0x3d()
    runservice+0x62()
    queue_service+0x5b()
    stream_service+0xe8()
    taskq_d_thread+0xe8()
    thread_start+8()

There is no workaround for this issue. Please see the Resolution section below.

This issue is addressed in the following releases:

SPARC Platform

• Solaris 8 with patch 109896-35 or later
• Solaris 9 with patch 115553-28 or later
• Solaris 10 with patch 125123-01 or later

x86 Platform

• Solaris 9 with patch 115554-24 or later
• Solaris 10 with patch 125124-01 or later

• Updated Contributing Factors section

This solution has no attachment