Vigil@nce: Solaris, denial of service via pollwakeup
August 2009 by Vigil@nce
A local attacker can execute a program using poll() in order to
stop the system.
Severity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 24/08/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
The poll() function is used to wait events on file descriptors
(data to read, ready to write, etc.).
The pollwakeup() function of the usr/src/uts/common/syscall/poll.c
file awakes threads waiting on an event. This function uses the
mutex_enter() function to lock the event handling. However, if a
new thread uses poll() on the same resource, pollwakeup() uses
again the same lock, without checking it is already used, which
panics the kernel.
A local attacker can therefore execute a multi-threaded program
using poll() in order to stop the system.
CHARACTERISTICS
Identifiers: 265248, 6468901, VIGILANCE-VUL-8968
http://vigilance.fr/vulnerability/Solaris-denial-of-service-via-pollwakeup-8968