A race condition security vulnerability in the Solaris Remote Procedure Call (RPC) Module may allow a local unprivileged user to panic the system, resulting in a Denial of Service (DoS) condition.

This issue can occur in the following releases:

SPARC Platform:

• Solaris 8 without patch 116959-20
• Solaris 9 without patch 113278-18
• Solaris 10 without patch 127739-01

x86 Platform:

• Solaris 8 without patch 116960-20
• Solaris 9 without patch 119439-11
• Solaris 10 without patch 127740-01

Note: This issue only affects systems which have the 'rpcmod' kernel module loaded.

To determine if the the 'rpcmod' kernel module is loaded, the following command can be run:

    $ modinfo -c | grep rpcmod || echo "System not impacted."

Should the described issue occur, the system may panic with a NULL pointer dereference and with a message similar to the following:

    panic[cpu0]/thread=2a100717d40: 0x3000619cea0: BAD TRAP: type=31
    rp=2a100716c50 addr=8 mmu_fsr=0 occurred in module "rpcmod" due to 
    a NULL pointer dereference.

For some situations it may be possible to avoid loading rpcmod by not running RPC services on the system; however, this will remove RPC functionality. If this is not acceptable, please see the Resolution section below.

This issue is addressed in the following releases:

SPARC Platform:

• Solaris 8 with patch 116959-20 or later
• Solaris 9 with patch 113278-18 or later
• Solaris 10 with patch 127739-01 or later

x86 Platform:

• Solaris 8 with patch 116960-20 or later
• Solaris 9 with patch 119439-11 or later
• Solaris 10 with patch 127740-01 or later

This solution has no attachment