Solaris 9 Systems With Solaris Auditing (BSM) Enabled may Panic if Certain Audit Classes are Being Audited


Category :AvailabilitySecurity
Release Phase :Resolved
Product :Solaris 9 Operating System  
Bug Id :4714273  
Date of Resolved Release :01-MAY-2007 


Impact

Local unprivileged users may be able to panic Solaris systems which have Solaris Auditing (BSM) enabled. Being able to panic a Solaris Auditing enabled system is a type of Denial of Service (DoS).


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

x86 Platform

Note 1: This issue does not affect Solaris 8 or Solaris 10.

Note 2: This issue only affects systems which have Solaris Auditing (see bsmconv(1M)) enabled.

To determine if a system has Solaris Auditing enabled the grep(1) command can be used to search the "/etc/system" file for a reference to the c2audit kernel module as in the following example:

    $ grep c2audit /etc/system
    set c2audit:audit_load = 1

Note 3: This issue only occurs on systems where Solaris Auditing has been configured to audit one of the following audit classes (see audit_class(4)):

    0x00000001:fr:file read 
    0x00000002:fw:file write
    0x00000008:fm:file attribute modify
    0x00000010:fc:file create
    0x00000020:fd:file delete

To determine which audit classes have been configured on the system consult the audit_control(4) and audit_user(4) files.


Symptoms

Should the described issue occur, the system panics with a stack backtrace which ends with the following function calls:

    bcopy+0x170(300016c86c8, 0, ffffffc7, 38, 0, 300016c86c8)
    audit_savepath+0x10c(30000c29048, 0, 0, 30000225b68, 0, 300008c5d40)
    lookuppnvp+0x80c(30000225b68, 0, 1, 0, 0, 1494400)
    [...]

 


Workaround

Until patches can be applied Solaris Auditing can be configured to not audit the audit classes mentioned in Section 2 above. This can be done by modifying the audit_control(4) and audit_user(4) files and then either rebooting the system or modifying the audit preselection mask of running processes on the system using auditconfig(1M).


Resolution

This issue is addressed in the following releases:

SPARC Platform

x86 Platform






Attachments
This solution has no attachment
 
Sun support customers:
more support information is available after you sign in.
 
»   Login
»   Register
»   Lost UserName/Password
 
Login Required

You must login and have a valid contract to access Sun's Premium content which includes:

  • Sun Alerts
  • Bugs
  • Patches
  • Solutions
  • White Papers
  • Documentation
  • Support Knowledge

Login Required

You must login and have a valid contract to access Sun's contracted features

Access Legend:

(Login to access)   Sun Contracted Content
(Login to access)   Sun Contracted Feature

Please make use of SunSolve Feedback application by selecting the floating [+] to provide feedback about this specific document.

Search
Article Details
Article ID : 200084
Article Type : Sun Alert
Last reviewed : 2007-05-01
Audience : PUBLIC
Keywords :
Provide feedback  (help)
Page Tools
»  Print This Page
»  Email This Article
»  Bookmark This Article
Security Support
»   Security Center
»   Report Security Vulnerabilities
»   Security PGP Key
»   Sun Alert Notifications - RSS Feeds
»   Sun Alert Notifications - eNewsletter
»   Solaris Fingerprint Database
 
SunSolve Navigation
»   Forums for contracted customers
»   Licenses
»   Log a Service Request
»   Patches and Updates
»   Product Download Center
»   SunSystem Handbook
»   SunSolve Japan
SunSolve Feedback, Help and Updates
»   Blog
»   Community
»   Feedback
»   Help
»   Learn about SunSolve
»   Twitter
About Oracle | Oracle and Sun | Oracle RSS Feeds | Subscribe | Careers | Contact Us | Site Maps | Legal Notices | Terms of Use | Your Privacy Rights | Copyright © 2010, Oracle Corporation and/or its affiliates | SunSolve Version 7.4.2 #1