|Sun Solaris... - VULHUB开源网络安全威胁库

Sun Solaris...

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

BUGTRAQ ID: 33188 CNCAN ID：CNCAN-2009011201 Sun Solaris是一款商业性质的服务器。 Sun Solaris 'aio_suspend()'存在整数溢出错误，本地攻击者可以利用漏洞对系统进行拒绝服务攻击。问题存在于如下代码中： /uts/common/os/aio.c [..] 221 static int64_t 222 kaioc( 223 long a0, 224 long a1, 225 long a2, 226 long a3, 227 long a4, 228 long a5) 229 { 230 int error; 231 long rval = 0; 232 233 switch ((int)a0 & ~AIO_POLL_BIT) { ... 266 case AIOSUSPEND: 267 [1] error = aiosuspend((void *)a1, (int)a2, (timespec_t *)a3, 268 (int)a4, &rval, AIO_64); 269 break; [..] [1] "aiosuspend()"函数的参数"a1", "a2", "a3"和"a4"是用户可控。 /uts/common/os/aio.c [..] 897 static int 898 aiosuspend( 899 void *aiocb, 900 int nent, 901 struct timespec *timout, 902 int flag, 903 long *rval, 904 int run_mode) 905 { ... 925 aiop = curproc->p_aio; 926 [2] if (aiop == NULL || nent <= 0) 927 return (EINVAL); ... 951 if (model == DATAMODEL_NATIVE) 952 [3] ssize = (sizeof (aiocb_t *) * nent); 953 #ifdef _SYSCALL32_IMPL 954 else 955 [3] ssize = (sizeof (caddr32_t) * nent); 956 #endif /* _SYSCALL32_IMPL */ 957 958 [4] cbplist = kmem_alloc(ssize, KM_NOSLEEP); [..] [2] "nent"是可由用户控制，"nent" > 0判断可被绕过。 [3] "ssize"值使用用户控制的"nent"值进行计算. 提供0x3fffffff给"nent"可触发整数溢出，导致"ssize" = 0x00000000. "kmem_alloc()"函数调用的长度值为0x00000000(see [4])，"kmem_alloc()"函数自身调用长度为0x00000000的"vmem_alloc()"，它调用使用相同 "size"值的"vmem_xalloc()"函数。 /lib/libumem/common/vmem.c [..] 815 void * 816 vmem_xalloc(vmem_t *vmp, size_t size, size_t align, size_t phase, 817 size_t nocross, void *minaddr, void *maxaddr, int vmflag) 818 { ... 934 [6] if (size == 0) 935 umem_panic("vmem_xalloc(): size == 0"); [..] [6] 如果"size"值为0x00000000提供给"vmem_xalloc()"函数，可导致内核出现Panic，造成系统崩溃。 Sun Solaris 9_x86 Sun Solaris 9_sparc Sun Solaris 9 Sun Solaris 8_x86 Sun Solaris 8 Sun Solaris 10_x86 Sun Solaris 10_sparc Sun Solaris 10.0_x86 Sun Solaris 10.0 Sun Solaris 10 Sun OpenSolaris build snv_96 Sun OpenSolaris build snv_95 Sun OpenSolaris build snv_92 Sun OpenSolaris build snv_91 Sun OpenSolaris build snv_90 Sun OpenSolaris build snv_89 Sun OpenSolaris build snv_88 Sun OpenSolaris build snv_87 Sun OpenSolaris build snv_85 Sun OpenSolaris build snv_84 Sun OpenSolaris build snv_83 Sun OpenSolaris build snv_82 Sun OpenSolaris build snv_80 Sun OpenSolaris build snv_77 Sun OpenSolaris build snv_76 Sun OpenSolaris build snv_68 Sun OpenSolaris build snv_67 Sun OpenSolaris build snv_64 Sun OpenSolaris build snv_59 Sun OpenSolaris build snv_57 Sun OpenSolaris build snv_50 Sun OpenSolaris build snv_39 Sun OpenSolaris build snv_36 Sun OpenSolaris build snv_22 Sun OpenSolaris build snv_19 Sun OpenSolaris build snv_13 Sun OpenSolaris build snv_105 Sun OpenSolaris build snv_104 Sun OpenSolaris build snv_104 Sun OpenSolaris build snv_103 Sun OpenSolaris build snv_102 Sun OpenSolaris build snv_101 Sun OpenSolaris build snv_100 Sun OpenSolaris build snv_02 Sun OpenSolaris build snv_01 Sun OpenSolaris 可参考如下补丁： Sun Solaris 10.0 Sun 121394-02 for SPARC <a href=http://sunsolve.sun.com/pdownload.do?target=121394-02&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=121394-02&method=h</a> Sun 121395-02 for x86 <a href=http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h</a> Sun Solaris 10_sparc Sun 121394-02 for SPARC <a href=http://sunsolve.sun.com/pdownload.do?target=121394-02&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=121394-02&method=h</a> Sun Solaris 10.0_x86 Sun 121395-02 for x86 <a href=http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h</a> Sun Solaris 10_x86 Sun 121395-02 for x86 <a href=http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h</a> Sun Solaris 8 Sun 117350-59 for SPARC <a href=http://sunsolve.sun.com/pdownload.do?target=117350-59&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=117350-59&method=h</a> Sun 117351-59 for x86 <a href=http://sunsolve.sun.com/pdownload.do?target=117351-59&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=117351-59&method=h</a> Sun Solaris 10 Sun 121394-02 for SPARC <a href=http://sunsolve.sun.com/pdownload.do?target=121394-02&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=121394-02&method=h</a> Sun 121395-02 for x86 <a href=http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=121395-02&method=h</a> Sun Solaris 9 Sun 138577-01 for SPARC <a href=http://sunsolve.sun.com/pdownload.do?target=138577-01&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=138577-01&method=h</a> Sun 138578-01 for x86 <a href=http://sunsolve.sun.com/pdownload.do?target=138578-01&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=138578-01&method=h</a> Sun Solaris 9_x86 Sun 138578-01 for x86 <a href=http://sunsolve.sun.com/pdownload.do?target=138578-01&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=138578-01&method=h</a> Sun Solaris 8_x86 Sun 117351-59 for x86 <a href=http://sunsolve.sun.com/pdownload.do?target=117351-59&method=h target=_blank rel=external nofollow>http://sunsolve.sun.com/pdownload.do?target=117351-59&method=h</a>

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™

Sun Solaris...

漏洞利用/PoC

受影响的平台与产品

贡献用户

相关漏洞清单