Sunday, January 31, 2010

Kernel NULL Pointer Dereference in (Open)Solaris

Today I released a security advisory (TKADV2010-001) describing a NULL pointer dereference in the kernel of Oracle Solaris 10 and OpenSolaris (x86). The bug happens in processor microcode code when retrieving the microcode revision.

Debugging information (SunOS 5.10 Generic_139556-08 i86pc i386 i86pc):

> ::msgbuf
[..]
panic[cpu0]/thread=ffffffff87df87c0:
BAD TRAP: type=e (#pf Page fault) rp=fffffe80012dcbf0 addr=0 occurred in module "unix" due to a NULL pointer dereference


poc:
#pf Page fault
Bad kernel fault at addr=0x0
pid=1471, pc=0xfffffffffb81e8f3, sp=0xfffffe80012dcce0, eflags=0x10286
cr0: 8005003b cr4: 6b0
cr2: 0 cr3: 9f84000 cr8: c
        rdi:                0 rsi:                1 rdx:               b6
        rcx:                0  r8: ffffffff88050b20  r9: ffffffff87df87c0
        rax:                0 rbx:                0 rbp: fffffe80012dccf0
        r10:               f5 r11:                0 r12:                0
        r13:                1 r14:                3 r15:           100001
        fsb: ffffffff80000000 gsb: fffffffffbc278a0  ds:               43
         es:               43  fs:                0  gs:              1c3
        trp:                e err:                2 rip: fffffffffb81e8f3
         cs:               28 rfl:            10286 rsp: fffffe80012dcce0
         ss:               30

fffffe80012dcb00 unix:die+da ()
fffffe80012dcbe0 unix:trap+5e6 ()
fffffe80012dcbf0 unix:_cmntrap+140 ()
fffffe80012dccf0 unix:ucode_get_rev+53 ()
fffffe80012dcd80 ucode:ucode_ioctl+22e ()
fffffe80012dcd90 genunix:cdev_ioctl+1d ()
fffffe80012dcdb0 specfs:spec_ioctl+50 ()
fffffe80012dcde0 genunix:fop_ioctl+25 ()
fffffe80012dcec0 genunix:ioctl+ac ()
fffffe80012dcf10 unix:brand_sys_sysenter+1f2 ()

syncing file systems...
 done
dumping to /dev/dsk/c0d0s1, offset 110231552, content: kernel

Now that Oracle has completed its acquisition of Sun the Sun Alert for this vulnerability will be published in April as part of Oracle's next Critical Patch Update (CPU). The exact date would be 13 April 2010 as documented here.

Since the patch for Solaris 10 is already available and the diffs will be visible in the Mercurial repository and in the OpenSolaris source browser I chose not to wait until 13 April but published my advisory today.

Saturday, January 02, 2010

checksec.sh with PaX support

New checksec.sh release.

What's new with version 1.2:

* Additional PaX (http://pax.grsecurity.net/) checks
  Thanks to Brad Spengler (grsecurity.net) for the PaX support.

* Some minor fixes (coloring adjusted, 'pidof' replacement)
You can download the new version 1.2 of checksec.sh here.