Sunday, January 11, 2009

vmem_xalloc(): size == 0

The Solaris kernel vulnerability described in TKADV2009-001 can be trivially exploited to crash a Solaris system (all Zones) as an unprivileged user, even if the vulnerability is triggered in a restricted non-global zone.

$ id
uid=101(tk) gid=1(other)

$ zonename
unpriv_zone

$ ppriv -S $$
1157:   -bash
flags = <none>
E: basic
I: basic
P: basic
L: zone

$ ./poc

System crash because of a kernel panic. Debugging information:
> ::msgbuf
[...]
panic[cpu0]/thread=d4764de0:
vmem_xalloc(): size == 0


d418cd94 genunix:vmem_xalloc+2d8 (fec66738, 0, 1000, )
d418cdd0 genunix:vmem_alloc+135 (fec66738, 0, 1)
d418cdfc unix:segkmem_xalloc+2d (fec66738, 0, 0, 1, )
d418ce28 unix:segkmem_alloc_vn+b7 (fec66738, 0, 1, fec)
d418ce40 unix:segkmem_alloc+16 (fec66738, 0, 1)
d418ce8c genunix:vmem_xalloc+3b4 (da004690, fffffffc,)
d418cec8 genunix:vmem_alloc+135 (da004690, fffffffc,)
d418cee4 genunix:kmem_alloc+32 (fffffffc, 1)
d418cf30 kaio:aiosuspend+a6 (0, 3fffffff, 0, 0, )
d418cf64 kaio:kaio+162 (d418cf8c, d418cf78)
d418cf84 genunix:syscall_ap+4d (8, 0, 3fffffff, 0, )

Well, is it indeed necessary to panic the whole system if a memory size of 0 is requested?