Security vulnerabilities in certain ioctl(2) functions in the ata(7D) disk driver may allow a local unprivileged user to panic the system, causing a Denial of Service (DoS) condition.

These issues can occur in the following releases:

x86 Platform

• Solaris 8 without patch 109798-04
• Solaris 9 without patch 117122-03
• Solaris 10 without patch 123779-02

Notes:

1. The SPARC platform is not affected by these issues.
2. These issues only affect x86 systems which have ATA disks installed.
3. Bug 6433123 concerns two affected ioctls which impact Solaris 8,9 and 10, while Bug 6433124 concerns one additional ioctl which only impacts Solaris 10.

To determine if the ata(7D) kernel module is in use, the following command can be run:

    % modinfo | grep -w ata

Should the described issues occur, the system may panic and generate a stack trace similar to one of the following:

32 bit i386 system:

    ata_disk_ioctl+0x16f()
    dadk_ioctl+0x1d7()
    cmdkioctl+0x361()
    cdev_ioctl+0x2b()
    spec_ioctl+0x62()
    fop_ioctl+0x24()
    ioctl+0x199()
    sys_sysenter+0x101()

64 bit i386 system:

    ata_disk_ioctl+0x14c()
    dadk_ioctl+0x225()
    cmdkioctl+0x1d8()
    cdev_ioctl+0x1d()
    spec_ioctl+0x50()
    fop_ioctl+0x25()
    ioctl+0xac()
    sys_syscall32+0x101()

There is no workaround for these issues. Please see the Resolution section below.

These issues are addressed in the following releases:

x86 Platform

• Solaris 8 with patch 109798-04 or later
• Solaris 9 with patch 117122-03 or later
• Solaris 10 with patch 123779-02 or later

This solution has no attachment